@vellumai/assistant 0.8.4 → 0.8.5

package/src/__tests__/tool-execution-pipeline.benchmark.test.ts

@@ -421,11 +421,8 @@ describe("Tool execution pipeline benchmark", () => {
         description: `Benchmark tool (${sleepMs}ms)`,
         category: "benchmark",
         defaultRiskLevel: RiskLevel.Low,
-        getDefinition: () => ({
-          name,
-          description: `Benchmark tool (${sleepMs}ms)`,
-          input_schema: { type: "object" as const, properties: {} },
-        }),
+        executionTarget: "sandbox",
+        input_schema: { type: "object" as const, properties: {} },
         execute: async (): Promise<ToolExecutionResult> => {
           if (sleepMs > 0) {
             await new Promise((r) => setTimeout(r, sleepMs));

package/src/__tests__/tool-executor-lifecycle-events.test.ts

@@ -79,7 +79,7 @@ mock.module("../memory/conversation-crud.js", () => ({
 mock.module("../memory/tool-usage-store.js", () => ({
   recordToolInvocation: () => {},
   getRecentInvocations: () => [],
-  rotateToolInvocations: () => 0,
+  rotateToolInvocations: async () => 0,
 }));
 
 mock.module("../tools/registry.js", () => ({
@@ -95,7 +95,7 @@ mock.module("../tools/registry.js", () => ({
         origin: "skill" as const,
         ownerSkillId: "test-skill",
         executionTarget: "host" as const,
-        getDefinition: () => ({}),
+        input_schema: {},
         execute: async () => {
           if (toolThrow) throw toolThrow;
           return fakeToolResult;
@@ -111,7 +111,7 @@ mock.module("../tools/registry.js", () => ({
         origin: "skill" as const,
         ownerSkillId: "test-skill",
         executionTarget: "sandbox" as const,
-        getDefinition: () => ({}),
+        input_schema: {},
         execute: async () => {
           if (toolThrow) throw toolThrow;
           return fakeToolResult;
@@ -129,19 +129,29 @@ mock.module("../tools/registry.js", () => ({
         origin: "skill" as const,
         ownerSkillId: "test-skill",
         executionTarget: "sandbox" as const,
-        getDefinition: () => ({}),
+        input_schema: {},
         execute: async () => {
           if (toolThrow) throw toolThrow;
           return fakeToolResult;
         },
       };
     }
+    // Mirror what the real loader stamps onto a tool at registration time
+    // (every registered Tool has `executionTarget` set). Mirror the
+    // prefix heuristic here so the tests that exercise built-in tools
+    // (`bash`, `host_bash`, `file_read`) still observe production-shaped
+    // executionTarget values.
+    const executionTarget =
+      name.startsWith("host_") || name.startsWith("computer_use_")
+        ? ("host" as const)
+        : ("sandbox" as const);
     return {
       name,
       description: "test tool",
       category: "test",
       defaultRiskLevel: "low",
-      getDefinition: () => ({}),
+      executionTarget,
+      input_schema: {},
       execute: async () => {
         if (toolThrow) throw toolThrow;
         return fakeToolResult;

package/src/__tests__/tool-executor.test.ts

@@ -131,7 +131,7 @@ mock.module("../permissions/checker.js", () => ({
 mock.module("../memory/tool-usage-store.js", () => ({
   recordToolInvocation: () => {},
   getRecentInvocations: () => [],
-  rotateToolInvocations: () => 0,
+  rotateToolInvocations: async () => 0,
 }));
 
 mock.module("../tools/registry.js", () => ({
@@ -143,7 +143,7 @@ mock.module("../tools/registry.js", () => ({
       description: "test tool",
       category: "test",
       defaultRiskLevel: "low",
-      getDefinition: () => ({}),
+      input_schema: {},
       execute: async () => fakeToolResult,
     };
   },
@@ -285,11 +285,7 @@ describe("ToolExecutor allowedToolNames gating", () => {
         description: "test tool",
         category: "test",
         defaultRiskLevel: RiskLevel.Low,
-        getDefinition: () => ({
-          name,
-          description: "test tool",
-          input_schema: { type: "object" as const, properties: {} },
-        }),
+        input_schema: { type: "object" as const, properties: {} },
         execute: async () => fakeToolResult,
       }) as unknown as Tool;
     getAllToolsOverride = () => [
@@ -337,13 +333,10 @@ describe("ToolExecutor allowedToolNames gating", () => {
         description: "tool from a skill",
         category: "skill",
         defaultRiskLevel: RiskLevel.Low,
+        executionTarget: "sandbox" as const,
         origin: "skill" as const,
         ownerSkillId: "my-skill",
-        getDefinition: () => ({
-          name,
-          description: "tool from a skill",
-          input_schema: { type: "object" as const, properties: {} },
-        }),
+        input_schema: { type: "object" as const, properties: {} },
         execute: async () => fakeToolResult,
       };
     };
@@ -382,11 +375,7 @@ describe("ToolExecutor policy context plumbing", () => {
         ownerSkillId: "my-skill-123",
         ownerSkillVersionHash: "abc123hash",
         executionTarget: "sandbox" as const,
-        getDefinition: () => ({
-          name,
-          description: "skill tool",
-          input_schema: { type: "object" as const, properties: {} },
-        }),
+        input_schema: { type: "object" as const, properties: {} },
         execute: async () => fakeToolResult,
       };
     };
@@ -434,12 +423,9 @@ describe("ToolExecutor policy context plumbing", () => {
         description: "core tool",
         category: "core",
         defaultRiskLevel: RiskLevel.Low,
+        executionTarget: "sandbox" as const,
         origin: "core" as const,
-        getDefinition: () => ({
-          name,
-          description: "core tool",
-          input_schema: { type: "object" as const, properties: {} },
-        }),
+        input_schema: { type: "object" as const, properties: {} },
         execute: async () => fakeToolResult,
       };
     };
@@ -471,11 +457,7 @@ describe("ToolExecutor policy context plumbing", () => {
         ownerSkillId: "host-skill",
         ownerSkillVersionHash: "host-hash",
         executionTarget: "host" as const,
-        getDefinition: () => ({
-          name,
-          description: "host skill tool",
-          input_schema: { type: "object" as const, properties: {} },
-        }),
+        input_schema: { type: "object" as const, properties: {} },
         execute: async () => fakeToolResult,
       };
     };
@@ -496,41 +478,6 @@ describe("ToolExecutor policy context plumbing", () => {
     });
   });
 
-  test("skill tool without executionTarget passes undefined executionTarget", async () => {
-    getToolOverride = (name: string) => {
-      if (name === "unknown_tool") return undefined;
-      return {
-        name,
-        description: "skill without target",
-        category: "skill",
-        defaultRiskLevel: RiskLevel.Low,
-        origin: "skill" as const,
-        ownerSkillId: "no-target-skill",
-        // executionTarget intentionally omitted
-        getDefinition: () => ({
-          name,
-          description: "skill tool",
-          input_schema: { type: "object" as const, properties: {} },
-        }),
-        execute: async () => fakeToolResult,
-      };
-    };
-
-    const executor = new ToolExecutor(makePrompter());
-    const result = await executor.execute(
-      "no_target_tool",
-      {},
-      makeContext({ requireFreshApproval: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(lastCheckArgs).toBeDefined();
-    expect(lastCheckArgs!.policyContext).toEqual({
-      conversationId: "conversation-1",
-      executionContext: "conversation",
-      executionTarget: undefined,
-    });
-  });
 });
 
 // ---------------------------------------------------------------------------

package/src/__tests__/tool-grant-request-escalation.test.ts

@@ -31,11 +31,7 @@ const fakeTool = {
   description: "Run a shell command",
   category: "shell",
   defaultRiskLevel: "high",
-  getDefinition: () => ({
-    name: "bash",
-    description: "Run a shell command",
-    input_schema: {},
-  }),
+  input_schema: {},
   execute: async () => ({ content: "ok", isError: false }),
 };
 
@@ -57,7 +53,6 @@ mock.module("../notifications/emit-signal.js", () => ({
       deliveryResults: [],
     };
   },
-  registerBroadcastFn: () => {},
 }));
 
 // Mock channel guardian service — provide a guardian binding for 'self' + 'telegram'

package/src/__tests__/trusted-contact-approval-notifier.test.ts

@@ -33,7 +33,6 @@ mock.module("../notifications/emit-signal.js", () => ({
     reason: "ok",
     deliveryResults: [],
   }),
-  registerBroadcastFn: () => {},
 }));
 
 // ── Gateway client mock ──

package/src/__tests__/trusted-contact-inline-approval-integration.test.ts

@@ -48,7 +48,6 @@ mock.module("../notifications/emit-signal.js", () => ({
       ],
     };
   },
-  registerBroadcastFn: () => {},
 }));
 
 // Mock task run rules
@@ -62,11 +61,7 @@ const fakeTool = {
   description: "Run a shell command",
   category: "shell",
   defaultRiskLevel: "high",
-  getDefinition: () => ({
-    name: "bash",
-    description: "Run a shell command",
-    input_schema: {},
-  }),
+  input_schema: {},
   execute: async () => ({ content: "ok", isError: false }),
 };
 mock.module("../tools/registry.js", () => ({

package/src/__tests__/trusted-contact-multichannel.test.ts

@@ -36,7 +36,6 @@ mock.module("../notifications/emit-signal.js", () => ({
       deliveryResults: [],
     };
   },
-  registerBroadcastFn: () => {},
 }));
 
 // Mock access-request-helper directly to capture notification calls.

package/src/__tests__/ui-file-upload-surface.test.ts

@@ -78,7 +78,7 @@ describe("file_upload interactivity", () => {
 
 describe("ui_show tool includes file_upload", () => {
   test("input_schema surface_type enum includes file_upload", () => {
-    const definition = uiShowTool.getDefinition();
+    const definition = uiShowTool;
     const surfaceTypeEnum = (
       definition.input_schema as {
         properties: { surface_type: { enum: string[] } };
@@ -89,7 +89,7 @@ describe("ui_show tool includes file_upload", () => {
   });
 
   test("description mentions file_upload", () => {
-    const definition = uiShowTool.getDefinition();
+    const definition = uiShowTool;
     expect(definition.description).toContain("file_upload");
   });
 });

package/src/__tests__/usage-routes.test.ts

@@ -59,6 +59,7 @@ function seedEvents() {
       outputTokens: 200,
       cacheCreationInputTokens: 50,
       cacheReadInputTokens: 100,
+      rawUsage: null,
     },
     { estimatedCostUsd: 0.005, pricingStatus: "priced" },
   );
@@ -82,6 +83,7 @@ function seedEvents() {
       outputTokens: 100,
       cacheCreationInputTokens: 0,
       cacheReadInputTokens: 0,
+      rawUsage: null,
     },
     { estimatedCostUsd: 0.001, pricingStatus: "priced" },
   );
@@ -104,6 +106,7 @@ function seedEvents() {
       outputTokens: 400,
       cacheCreationInputTokens: 0,
       cacheReadInputTokens: 0,
+      rawUsage: null,
     },
     { estimatedCostUsd: 0, pricingStatus: "unpriced" },
   );

package/src/__tests__/verification-control-plane-policy.test.ts

@@ -80,7 +80,7 @@ mock.module("../memory/conversation-crud.js", () => ({
 mock.module("../memory/tool-usage-store.js", () => ({
   recordToolInvocation: () => {},
   getRecentInvocations: () => [],
-  rotateToolInvocations: () => 0,
+  rotateToolInvocations: async () => 0,
 }));
 
 mock.module("../tools/registry.js", () => ({
@@ -91,7 +91,7 @@ mock.module("../tools/registry.js", () => ({
       description: "test tool",
       category: "test",
       defaultRiskLevel: "low",
-      getDefinition: () => ({}),
+      input_schema: {},
       execute: async () => fakeToolResult,
     };
   },

package/src/__tests__/workspace-git-service.test.ts

@@ -421,11 +421,12 @@ describe("WorkspaceGitService", () => {
 
       await Promise.all(commits);
 
-      // All commits should have succeeded
-      const log = execFileSync("git", ["log", "--oneline"], {
-        cwd: testDir,
-        encoding: "utf-8",
-      });
+      // Read through the service so GIT_* vars set by CI runners are stripped
+      // (matches the env used for the commits themselves).
+      const { stdout: log } = await service.runReadOnlyGit([
+        "log",
+        "--oneline",
+      ]);
 
       for (let i = 0; i < 10; i++) {
         expect(log).toContain(`Add file ${i}`);

package/src/__tests__/workspace-migration-089-move-memory-tree-out-of-v3.test.ts

@@ -0,0 +1,86 @@
+import * as fs from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+
+import { moveMemoryTreeOutOfV3Migration } from "../workspace/migrations/089-move-memory-tree-out-of-v3.js";
+
+describe("workspace migration 089 — move memory tree out of v3", () => {
+  let ws: string;
+
+  beforeEach(() => {
+    ws = fs.mkdtempSync(join(tmpdir(), "ws-mig-089-"));
+  });
+
+  afterEach(() => {
+    fs.rmSync(ws, { recursive: true, force: true });
+  });
+
+  function writeOldTree(): void {
+    const oldTree = join(ws, "memory", "v3", "tree");
+    fs.mkdirSync(join(oldTree, "people"), { recursive: true });
+    fs.writeFileSync(join(oldTree, "_root.md"), "root");
+    fs.writeFileSync(join(oldTree, "people", "alice.md"), "alice");
+  }
+
+  test("moves memory/v3/tree -> memory/tree (incl. nested) and drops the empty v3 wrapper", () => {
+    writeOldTree();
+    moveMemoryTreeOutOfV3Migration.run(ws);
+
+    expect(fs.existsSync(join(ws, "memory", "v3"))).toBe(false);
+    expect(
+      fs.readFileSync(join(ws, "memory", "tree", "_root.md"), "utf-8"),
+    ).toBe("root");
+    expect(
+      fs.readFileSync(
+        join(ws, "memory", "tree", "people", "alice.md"),
+        "utf-8",
+      ),
+    ).toBe("alice");
+  });
+
+  test("is idempotent — re-running after the move changes nothing", () => {
+    writeOldTree();
+    moveMemoryTreeOutOfV3Migration.run(ws);
+    moveMemoryTreeOutOfV3Migration.run(ws);
+
+    expect(
+      fs.readFileSync(join(ws, "memory", "tree", "_root.md"), "utf-8"),
+    ).toBe("root");
+  });
+
+  test("no-op on a fresh workspace with no old tree", () => {
+    moveMemoryTreeOutOfV3Migration.run(ws);
+    expect(fs.existsSync(join(ws, "memory", "tree"))).toBe(false);
+  });
+
+  test("never clobbers an existing memory/tree", () => {
+    writeOldTree();
+    const newTree = join(ws, "memory", "tree");
+    fs.mkdirSync(newTree, { recursive: true });
+    fs.writeFileSync(join(newTree, "_root.md"), "existing");
+
+    moveMemoryTreeOutOfV3Migration.run(ws);
+
+    // Destination preserved; source left in place for manual resolution.
+    expect(fs.readFileSync(join(newTree, "_root.md"), "utf-8")).toBe(
+      "existing",
+    );
+    expect(fs.existsSync(join(ws, "memory", "v3", "tree", "_root.md"))).toBe(
+      true,
+    );
+  });
+
+  test("down() restores memory/tree back to memory/v3/tree", () => {
+    const newTree = join(ws, "memory", "tree");
+    fs.mkdirSync(newTree, { recursive: true });
+    fs.writeFileSync(join(newTree, "_root.md"), "root");
+
+    moveMemoryTreeOutOfV3Migration.down(ws);
+
+    expect(fs.existsSync(join(ws, "memory", "tree"))).toBe(false);
+    expect(
+      fs.readFileSync(join(ws, "memory", "v3", "tree", "_root.md"), "utf-8"),
+    ).toBe("root");
+  });
+});

package/src/acp/__tests__/prepare-agent-env.test.ts

@@ -0,0 +1,146 @@
+/**
+ * Tests for `prepareAgentEnv` — the shared helper that injects required env
+ * vars onto an `AcpAgentConfig` and preflights that they're set.
+ *
+ * The route-level test in `runtime/routes/acp-routes.test.ts` covers the same
+ * behavior through the HTTP handler; these tests pin the helper in isolation
+ * so the contract is clear and a future refactor can't silently break it.
+ */
+
+import { beforeEach, describe, expect, mock, test } from "bun:test";
+
+// Stub the secure-keys backend BEFORE importing the helper. Bun's
+// `mock.module` is process-global and only takes effect for imports that
+// follow it — the dynamic import below ensures correctness.
+const secureKeyStore = new Map<string, string>();
+
+mock.module("../../security/secure-keys.js", () => ({
+  getSecureKeyAsync: async (key: string) => secureKeyStore.get(key),
+}));
+
+const { prepareAgentEnv } = await import("../prepare-agent-env.js");
+
+beforeEach(() => {
+  secureKeyStore.clear();
+});
+
+describe("prepareAgentEnv — claude-agent-acp gating", () => {
+  test("injects CLAUDE_CODE_OAUTH_TOKEN from the secure store when agent.env has no override", async () => {
+    secureKeyStore.set("credential/acp/claude_oauth_token", "vault-AAA");
+
+    const prepared = await prepareAgentEnv({
+      command: "claude-agent-acp",
+      args: [],
+    });
+
+    expect(prepared.env?.CLAUDE_CODE_OAUTH_TOKEN).toBe("vault-AAA");
+  });
+
+  test("accepts CLAUDE_CODE_OAUTH_TOKEN from agent.env (config.json override) with no vault entry", async () => {
+    const prepared = await prepareAgentEnv({
+      command: "claude-agent-acp",
+      args: [],
+      env: { CLAUDE_CODE_OAUTH_TOKEN: "config-BBB" },
+    });
+
+    expect(prepared.env?.CLAUDE_CODE_OAUTH_TOKEN).toBe("config-BBB");
+  });
+
+  test("agent.env override wins over the secure-store entry (precedence pin)", async () => {
+    // The config-supplied env wins so users can rotate per-workspace without
+    // racing the vault. Mirrors the route-level precedence test.
+    secureKeyStore.set("credential/acp/claude_oauth_token", "vault-CCC");
+
+    const prepared = await prepareAgentEnv({
+      command: "claude-agent-acp",
+      args: [],
+      env: { CLAUDE_CODE_OAUTH_TOKEN: "config-DDD" },
+    });
+
+    expect(prepared.env?.CLAUDE_CODE_OAUTH_TOKEN).toBe("config-DDD");
+  });
+
+  test("preserves unrelated env vars on agent.env when injecting from the vault", async () => {
+    secureKeyStore.set("credential/acp/claude_oauth_token", "vault-EEE");
+
+    const prepared = await prepareAgentEnv({
+      command: "claude-agent-acp",
+      args: [],
+      env: { OTHER_VAR: "keep-me" },
+    });
+
+    expect(prepared.env?.CLAUDE_CODE_OAUTH_TOKEN).toBe("vault-EEE");
+    expect(prepared.env?.OTHER_VAR).toBe("keep-me");
+  });
+
+  test("throws FailedDependencyError when no token is provided from either route", async () => {
+    // secureKeyStore empty, no agent.env override — the preflight must throw
+    // so callers fail fast instead of spawning a zombie subprocess that the
+    // SDK rejects with 'Authentication required' after the first prompt.
+    await expect(
+      prepareAgentEnv({ command: "claude-agent-acp", args: [] }),
+    ).rejects.toThrow("CLAUDE_CODE_OAUTH_TOKEN");
+  });
+
+  test("gates on the resolved command BASENAME (alias to /custom/path/claude-agent-acp still gets the token)", async () => {
+    // A user-supplied `acp.agents.my-claude = { command: "/opt/.../claude-agent-acp" }`
+    // is the only realistic path that lands a non-bare basename here. The
+    // helper must still recognize it.
+    secureKeyStore.set("credential/acp/claude_oauth_token", "vault-FFF");
+
+    const prepared = await prepareAgentEnv({
+      command: "/opt/bin/claude-agent-acp",
+      args: [],
+    });
+
+    expect(prepared.env?.CLAUDE_CODE_OAUTH_TOKEN).toBe("vault-FFF");
+  });
+
+  test("does NOT mutate the caller's agentConfig", async () => {
+    // Callers pass `resolved.agent` which is shared state from the resolver's
+    // config cache. The helper must clone before mutating, otherwise repeated
+    // spawns would race on the same object.
+    secureKeyStore.set("credential/acp/claude_oauth_token", "vault-GGG");
+    const original = {
+      command: "claude-agent-acp",
+      args: [],
+      env: { OTHER: "keep" },
+    };
+    const beforeEnv = { ...original.env };
+
+    const prepared = await prepareAgentEnv(original);
+
+    expect(prepared).not.toBe(original);
+    expect(prepared.env).not.toBe(original.env);
+    expect(original.env).toEqual(beforeEnv);
+    expect(original.env).not.toHaveProperty("CLAUDE_CODE_OAUTH_TOKEN");
+  });
+});
+
+describe("prepareAgentEnv — non-claude commands", () => {
+  test("returns the config unchanged for codex-acp (no required env vars today)", async () => {
+    // codex-acp inherits auth from the underlying `codex` CLI binary
+    // (codex login / CODEX_API_KEY / OPENAI_API_KEY in process.env) — no
+    // ACP-level env injection. Pin that contract so a future change has
+    // to update this test explicitly.
+    const prepared = await prepareAgentEnv({
+      command: "codex-acp",
+      args: [],
+    });
+
+    expect(prepared.env).toEqual({});
+  });
+
+  test("returns the config unchanged for an unrecognized command basename", async () => {
+    secureKeyStore.set("credential/acp/claude_oauth_token", "vault-HHH");
+
+    const prepared = await prepareAgentEnv({
+      command: "some-future-adapter",
+      args: [],
+      env: { FOO: "bar" },
+    });
+
+    // No injection — basename gate skipped.
+    expect(prepared.env).toEqual({ FOO: "bar" });
+  });
+});

package/src/acp/prepare-agent-env.ts

@@ -0,0 +1,78 @@
+/**
+ * Inject required env vars for an ACP agent and preflight that they're set.
+ *
+ * Called by every code path that hands an `AcpAgentConfig` to
+ * `AcpSessionManager.spawn`. There are TWO such paths today — the HTTP
+ * route `/v1/acp/spawn` (`runtime/routes/acp-routes.ts:spawnSession`) and
+ * the skill tool `acp_spawn` (`tools/acp/spawn.ts:executeAcpSpawn`) — and
+ * before this helper existed the env-injection logic lived inline in the
+ * route only. The skill-tool path bypassed it entirely, so spawns landed
+ * with no `CLAUDE_CODE_OAUTH_TOKEN`, the SDK rejected the first prompt
+ * with "Authentication required", and the subprocess died as a zombie
+ * with no completion notification.
+ *
+ * The fix: have this single helper own injection + preflight, and have
+ * every caller route through it before calling `manager.spawn`.
+ */
+
+import { basename } from "node:path";
+
+import { FailedDependencyError } from "../runtime/routes/errors.js";
+import { credentialKey } from "../security/credential-key.js";
+import { getSecureKeyAsync } from "../security/secure-keys.js";
+import type { AcpAgentConfig } from "./types.js";
+
+/**
+ * Returns a NEW config with any required credentials merged into `env`.
+ * Does NOT mutate the input. Throws `FailedDependencyError` if a required
+ * credential is missing from both the user-supplied env override and the
+ * secure store.
+ *
+ * Gating is keyed off the resolved agent COMMAND (basename), not the
+ * user-facing agent id, so a custom `acp.agents.my-claude = { command:
+ * "claude-agent-acp", ... }` alias still gets the env it needs.
+ *
+ * For `claude-agent-acp` the only required env var is
+ * `CLAUDE_CODE_OAUTH_TOKEN`. Two provisioning routes converge on it, with
+ * config.json winning over the vault so explicit user overrides
+ * (per-workspace, rotated, etc.) are never silently clobbered:
+ *   1. `acp.agents.<id>.env.CLAUDE_CODE_OAUTH_TOKEN` in `config.json` —
+ *      the user-supplied env override on the resolved agent config.
+ *   2. Secure store via CLI: `assistant credentials set --service acp \
+ *        --field claude_oauth_token <token>` — written to the canonical
+ *      `credential/{service}/{field}` key built by `credentialKey()`,
+ *      used as fallback when (1) is unset.
+ * After resolution, this asserts the token is present (from either route)
+ * before spawning. The "fail-fast" throw is symmetric with the existing
+ * `binary_not_found` preflight in `resolveAcpAgent` and strictly better
+ * than a `warn` + zombie subprocess 10 seconds later.
+ */
+export async function prepareAgentEnv(
+  agentConfig: AcpAgentConfig,
+): Promise<AcpAgentConfig> {
+  // Clone caller's config + env so we never mutate the resolver's cached
+  // agent reference. The local `env` binding sidesteps TS narrowing
+  // limitations on the optional `AcpAgentConfig.env` field.
+  const env: Record<string, string> = { ...(agentConfig.env ?? {}) };
+  const commandBasename = basename(agentConfig.command);
+
+  if (commandBasename === "claude-agent-acp") {
+    if (!env.CLAUDE_CODE_OAUTH_TOKEN) {
+      const claudeToken = await getSecureKeyAsync(
+        credentialKey("acp", "claude_oauth_token"),
+      );
+      if (claudeToken) {
+        env.CLAUDE_CODE_OAUTH_TOKEN = claudeToken;
+      }
+    }
+    if (!env.CLAUDE_CODE_OAUTH_TOKEN) {
+      throw new FailedDependencyError(
+        "claude-agent-acp requires CLAUDE_CODE_OAUTH_TOKEN. " +
+          "Run: assistant credentials set --service acp --field claude_oauth_token <token> " +
+          "(or set it under acp.agents.<id>.env in config.json).",
+      );
+    }
+  }
+
+  return { ...agentConfig, env };
+}

package/src/acp/session-manager.ts

@@ -306,7 +306,7 @@ export class AcpSessionManager {
    */
   private teardownSession(acpSessionId: string, entry: SessionEntry): void {
     for (const requestId of entry.clientHandler.pendingRequestIds) {
-      const interaction = pendingInteractions.resolve(requestId);
+      const interaction = pendingInteractions.resolve(requestId, "cancelled");
       if (interaction?.directResolve) {
         interaction.directResolve("deny");
       }