@vellumai/assistant 0.9.0 → 0.10.0-staging.2

package/src/context/strip-injections.ts

@@ -28,6 +28,33 @@ import type { Message } from "../providers/types.js";
  */
 export type InjectionMatcher = string | { prefix: string; suffix: string };
 
+/**
+ * Whether an injected text block matches any of the given matchers. A plain
+ * string matches by prefix; a `{ prefix, suffix }` wrapper requires both ends
+ * so user-authored text merely opening with an injection-like tag is kept.
+ */
+function textBlockMatchesInjection(
+  text: string,
+  matchers: InjectionMatcher[],
+): boolean {
+  return matchers.some((m) =>
+    typeof m === "string"
+      ? text.startsWith(m)
+      : text.startsWith(m.prefix) && text.endsWith(m.suffix),
+  );
+}
+
+/** Drop the matching injection text blocks from a single content array. */
+function filterInjectionBlocks(
+  content: Message["content"],
+  matchers: InjectionMatcher[],
+): Message["content"] {
+  return content.filter(
+    (block) =>
+      block.type !== "text" || !textBlockMatchesInjection(block.text, matchers),
+  );
+}
+
 /**
  * Remove text blocks from user messages that match any of the given matchers.
  * If stripping removes all content blocks from a message, the message itself
@@ -43,14 +70,7 @@ export function stripUserTextBlocksByPrefix(
   return messages
     .map((message) => {
       if (message.role !== "user") return message;
-      const nextContent = message.content.filter((block) => {
-        if (block.type !== "text") return true;
-        return !matchers.some((m) =>
-          typeof m === "string"
-            ? block.text.startsWith(m)
-            : block.text.startsWith(m.prefix) && block.text.endsWith(m.suffix),
-        );
-      });
+      const nextContent = filterInjectionBlocks(message.content, matchers);
       if (nextContent.length === message.content.length) return message;
       if (nextContent.length === 0) return null;
       return { ...message, content: nextContent };
@@ -60,6 +80,30 @@ export function stripUserTextBlocksByPrefix(
     );
 }
 
+/**
+ * Tail-scoped variant of {@link stripUserTextBlocksByPrefix}: remove matching
+ * text blocks from ONLY the last message, and only when that message is a user
+ * message. This mirrors the runtime injection step, which applies every
+ * per-turn block to the tail user message, so clearing the tail's stale copies
+ * before re-injection makes re-injection idempotent.
+ *
+ * The tail message is retained even if all of its blocks are removed, so the
+ * role-`"user"` tail invariant the re-injection step relies on is preserved.
+ * Earlier messages are untouched, so per-message historical grounding (e.g.
+ * each turn's `<turn_context>`) survives and the stable cached prefix — which
+ * lives entirely before the tail — is never disturbed.
+ */
+export function stripTailUserTextBlocksByPrefix(
+  messages: Message[],
+  matchers: InjectionMatcher[],
+): Message[] {
+  const last = messages[messages.length - 1];
+  if (!last || last.role !== "user") return messages;
+  const nextContent = filterInjectionBlocks(last.content, matchers);
+  if (nextContent.length === last.content.length) return messages;
+  return [...messages.slice(0, -1), { ...last, content: nextContent }];
+}
+
 /**
  * Full-wrapper matcher for the memory-v3 ephemeral `<memory_spotlight>` block.
  * Shared by the per-turn scoped strip ({@link stripSpotlightInjections}) and
@@ -88,8 +132,12 @@ export const NOW_SCRATCHPAD_STRIP_PREFIXES: InjectionMatcher[] = [
   "<now_scratchpad>",
 ];
 
-/** Matchers stripped by the pipeline (order doesn't matter — single pass). */
-const RUNTIME_INJECTION_PREFIXES: InjectionMatcher[] = [
+/**
+ * Matchers stripped by the compaction pipeline (order doesn't matter — single
+ * pass). Exported so the post-compaction re-injection path can reuse this set
+ * as the base of its idempotency strip without duplicating it.
+ */
+export const RUNTIME_INJECTION_PREFIXES: InjectionMatcher[] = [
   "<channel_capabilities>",
   "<channel_command_context>",
   "<disk_pressure_warning>",

package/src/context/token-estimator.ts

@@ -305,7 +305,7 @@ export function estimateMessagesTokens(
 }
 
 /** Estimate token cost for a single tool definition. */
-function estimateToolDefinitionTokens(tool: ToolDefinition): number {
+export function estimateToolDefinitionTokens(tool: ToolDefinition): number {
   return (
     TOOL_DEFINITION_OVERHEAD_TOKENS +
     estimateTextTokens(tool.name) +

package/src/credential-execution/process-manager.ts

@@ -312,6 +312,43 @@ function buildLocalCesEnv(): Record<string, string | undefined> {
   };
 }
 
+// ---------------------------------------------------------------------------
+// Close notification (shared by both transports)
+// ---------------------------------------------------------------------------
+
+/**
+ * Tracks the transport `alive` state and notifies registered handlers exactly
+ * once when the transport dies, so the RPC client can fail-fast any in-flight
+ * calls instead of waiting out their timeouts.
+ */
+function createCloseNotifier(): {
+  isAlive: () => boolean;
+  markDead: () => void;
+  onClose: (handler: () => void) => void;
+} {
+  let alive = true;
+  let notified = false;
+  const handlers: Array<() => void> = [];
+  return {
+    isAlive: () => alive,
+    markDead() {
+      alive = false;
+      if (notified) return;
+      notified = true;
+      for (const handler of handlers) {
+        try {
+          handler();
+        } catch {
+          // a close handler must never throw back into the transport
+        }
+      }
+    },
+    onClose(handler) {
+      handlers.push(handler);
+    },
+  };
+}
+
 // ---------------------------------------------------------------------------
 // Stdio transport (local mode)
 // ---------------------------------------------------------------------------
@@ -319,7 +356,7 @@ function buildLocalCesEnv(): Record<string, string | undefined> {
 function createStdioTransport(proc: Subprocess): CesTransport {
   const messageHandlers: Array<(message: string) => void> = [];
   let buffer = "";
-  let alive = true;
+  const death = createCloseNotifier();
 
   // Read stdout line by line — narrow past `number` union arm from Subprocess type
   if (proc.stdout && typeof proc.stdout !== "number") {
@@ -350,9 +387,9 @@ function createStdioTransport(proc: Subprocess): CesTransport {
         endReason = "error";
         readError = err;
       } finally {
-        // Preserve existing semantics: the transport reports dead the moment
-        // the stdout stream ends, regardless of why.
-        alive = false;
+        // Report dead the moment the stdout stream ends (regardless of why),
+        // and notify the client so it can fail-fast any in-flight calls.
+        death.markDead();
 
         // DIAGNOSTIC (observation only). The reconnection path (secure-keys.ts)
         // bounces CES whenever isAlive() goes false. This classifies WHY the
@@ -384,7 +421,7 @@ function createStdioTransport(proc: Subprocess): CesTransport {
 
   // Track process exit
   void proc.exited.then((exitCode) => {
-    alive = false;
+    death.markDead();
     log.info(
       { pid: proc.pid, exitCode },
       "CES stdio transport: process exited",
@@ -393,7 +430,7 @@ function createStdioTransport(proc: Subprocess): CesTransport {
 
   return {
     write(line: string): void {
-      if (!alive || !proc.stdin || typeof proc.stdin === "number") {
+      if (!death.isAlive() || !proc.stdin || typeof proc.stdin === "number") {
         throw new Error("CES stdio transport is not alive");
       }
       proc.stdin.write(line + "\n");
@@ -404,11 +441,13 @@ function createStdioTransport(proc: Subprocess): CesTransport {
     },
 
     isAlive(): boolean {
-      return alive;
+      return death.isAlive();
     },
 
+    onClose: death.onClose,
+
     close(): void {
-      alive = false;
+      death.markDead();
       if (proc.stdin && typeof proc.stdin !== "number") {
         proc.stdin.end();
       }
@@ -423,7 +462,7 @@ function createStdioTransport(proc: Subprocess): CesTransport {
 function createSocketTransport(socket: Socket): CesTransport {
   const messageHandlers: Array<(message: string) => void> = [];
   let buffer = "";
-  let alive = true;
+  const death = createCloseNotifier();
 
   const decoder = new StringDecoder("utf8");
 
@@ -442,17 +481,17 @@ function createSocketTransport(socket: Socket): CesTransport {
   });
 
   socket.on("close", () => {
-    alive = false;
+    death.markDead();
   });
 
   socket.on("error", (err) => {
     log.warn({ err }, "CES socket transport error");
-    alive = false;
+    death.markDead();
   });
 
   return {
     write(line: string): void {
-      if (!alive || socket.destroyed) {
+      if (!death.isAlive() || socket.destroyed) {
         throw new Error("CES socket transport is not alive");
       }
       socket.write(line + "\n");
@@ -463,11 +502,13 @@ function createSocketTransport(socket: Socket): CesTransport {
     },
 
     isAlive(): boolean {
-      return alive && !socket.destroyed;
+      return death.isAlive() && !socket.destroyed;
     },
 
+    onClose: death.onClose,
+
     close(): void {
-      alive = false;
+      death.markDead();
       socket.destroy();
     },
   };

package/src/credential-execution/prompted-credential.ts

@@ -8,9 +8,8 @@
  *     channel actually connects, not just stored;
  *   - any other credential: written to secure storage.
  *
- * Both the `credential_store` tool's prompt action and the CLI
- * `credentials prompt` route share this logic so the two entry points behave
- * identically.
+ * The CLI `credentials prompt` route uses this logic to persist a credential
+ * collected through a secure prompt.
  */
 
 import { getConfig } from "../config/loader.js";

package/src/daemon/__tests__/conversation-lifecycle-auto-analyze.test.ts

@@ -236,8 +236,9 @@ describe("disposeConversation — auto-analysis enqueue", () => {
 
   test("untrusted conversation — enqueues neither graph_extract nor conversation_analyze", () => {
     // `unknown` is the trust class used for untrusted actors. The disposal
-    // code short-circuits on `isUntrustedTrustClass()` so neither enqueue
-    // path should fire. This preserves the memory trust boundary.
+    // code short-circuits when `resolveCapabilities(trustClass).canAccessMemory`
+    // is false, so neither enqueue path should fire. This preserves the
+    // memory trust boundary.
     const ctx = makeDisposeContext({
       conversationId: "conv-untrusted",
       trustClass: "unknown",

package/src/daemon/config-watcher.ts

@@ -178,8 +178,6 @@ export class ConfigWatcher {
    * Start all file watchers. `onConversationEvict` is called when watched
    * files change and conversations need to be evicted for reload.
    * `onIdentityChanged` is called when IDENTITY.md changes on disk.
-   * `onIdentityIntroChanged` is called when SOUL.md changes and identity
-   * intro subscribers should refetch.
    * `onSkillsChanged` is called after skill directory changes evict
    * conversations.
    */
@@ -190,7 +188,6 @@ export class ConfigWatcher {
     onAvatarChanged?: () => void,
     onConfigChanged?: () => void,
     onSkillsChanged?: () => void,
-    onIdentityIntroChanged?: () => void,
   ): void {
     // Reset the stopped flag so a stop()→start() cycle on the same
     // instance resumes hot-reload instead of silently bailing in every
@@ -226,7 +223,6 @@ export class ConfigWatcher {
       },
       "SOUL.md": () => {
         onConversationEvict();
-        onIdentityIntroChanged?.();
       },
       "IDENTITY.md": () => {
         onConversationEvict();

package/src/daemon/conversation-agent-loop-handlers.ts

@@ -1184,6 +1184,7 @@ export async function finalizePendingToolResultRow(
     let provenanceTrustClass:
       | "guardian"
       | "trusted_contact"
+      | "unverified_contact"
       | "unknown"
       | undefined;
     let automated: boolean | undefined;
@@ -1845,6 +1846,7 @@ export async function handleMessageComplete(
     let provenanceTrustClass:
       | "guardian"
       | "trusted_contact"
+      | "unverified_contact"
       | "unknown"
       | undefined;
     let automated: boolean | undefined;

package/src/daemon/conversation-agent-loop.ts

@@ -70,9 +70,9 @@ import type { UserPromptSubmitContext } from "../plugin-api/types.js";
 import { runHook } from "../plugins/pipeline.js";
 import type { ContentBlock, Message } from "../providers/types.js";
 import type { Provider } from "../providers/types.js";
-import { isUntrustedTrustClass } from "../runtime/actor-trust-resolver.js";
 import { broadcastMessage } from "../runtime/assistant-event-hub.js";
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "../runtime/assistant-scope.js";
+import { resolveCapabilities } from "../runtime/capabilities.js";
 import { publishConversationMessagesChanged } from "../runtime/sync/resource-sync-events.js";
 import type { ActivationMomentParam } from "../telemetry/activation-funnel.js";
 import type { UsageActor } from "../usage/actors.js";
@@ -187,6 +187,67 @@ export interface AssistantSurface {
   activationMoment?: ActivationMomentParam;
 }
 
+// ── abort watchdog ───────────────────────────────────────────────────
+
+/**
+ * Generous backstop that drives an aborted turn to its `finally` even if some
+ * awaited operation fails to observe the abort signal.
+ *
+ * Abort is otherwise cooperative and already wired into the slow paths: the
+ * provider call forwards the signal to its HTTP/streaming fetch, and tool
+ * execution races the signal so a stuck tool can't block cancellation. This
+ * watchdog only fires when a future code path silently ignores abort — without
+ * it, such a path would hang the loop forever and latch the conversation's
+ * `processing` flag true (the wedged "Thinking…" indicator). It is
+ * defense-in-depth, not the primary mechanism, so the timeout is deliberately
+ * generous; in the common case abort settles in-flight work well before it.
+ */
+const ABORT_WATCHDOG_MS = 45_000;
+
+/**
+ * Race `work` against an abort watchdog. The watchdog stays disarmed until the
+ * signal fires; once it does, the turn has `timeoutMs` to settle before the
+ * watchdog rejects with the signal's own abort reason so the caller unwinds to
+ * its `finally` and the reason classifies as a user cancellation downstream.
+ * The abandoned `work` promise keeps running detached — its eventual rejection
+ * is swallowed so it can't surface as an unhandled rejection.
+ */
+async function withAbortWatchdog<T>(
+  work: Promise<T>,
+  signal: AbortSignal,
+  timeoutMs: number,
+  onFire: () => void,
+): Promise<T> {
+  let timer: ReturnType<typeof setTimeout> | undefined;
+  let onAbort: (() => void) | undefined;
+  const watchdog = new Promise<never>((_, reject) => {
+    const arm = () => {
+      timer = setTimeout(() => {
+        onFire();
+        // Propagate the signal's own reason (an `AbortReason` for daemon-owned
+        // cancels) so the loop's catch classifies this as a user cancellation;
+        // fall back to a tagged AbortError when the signal carries no reason.
+        reject(
+          signal.reason ??
+            new DOMException("The operation was aborted", "AbortError"),
+        );
+      }, timeoutMs);
+    };
+    if (signal.aborted) arm();
+    else {
+      onAbort = arm;
+      signal.addEventListener("abort", onAbort, { once: true });
+    }
+  });
+  try {
+    return await Promise.race([work, watchdog]);
+  } finally {
+    if (timer) clearTimeout(timer);
+    if (onAbort) signal.removeEventListener("abort", onAbort);
+    void work.catch(() => {});
+  }
+}
+
 // ── runAgentLoop ─────────────────────────────────────────────────────
 
 export async function runAgentLoopImpl(
@@ -215,6 +276,11 @@ export async function runAgentLoopImpl(
      * spawns).
      */
     overrideProfile?: string;
+    /**
+     * Float `overrideProfile` above call-site layers for non-main-agent call
+     * sites. Used when a caller explicitly pins a background run to a profile.
+     */
+    forceOverrideProfile?: boolean;
   },
 ): Promise<void> {
   if (!ctx.abortController) {
@@ -290,6 +356,7 @@ export async function runAgentLoopImpl(
   ctx.toolRoutedProfile = undefined;
 
   const turnOverrideProfile = userExplicitOverride;
+  const forceOverrideProfile = options?.forceOverrideProfile === true;
 
   const readCurrentOverrideProfile = (): string | undefined =>
     options?.overrideProfile ??
@@ -300,6 +367,7 @@ export async function runAgentLoopImpl(
     llm: config.llm,
     callSite: turnCallSite,
     overrideProfile: turnOverrideProfile ?? undefined,
+    forceOverrideProfile,
     selectionSeed: ctx.conversationId,
   });
   let currentEffectiveContextWindow: EffectiveContextWindow =
@@ -307,6 +375,7 @@ export async function runAgentLoopImpl(
   let currentContextWindowConfig = contextWindowConfigFromEffective(
     resolveCallSiteConfig(turnCallSite, config.llm, {
       overrideProfile: turnOverrideProfile ?? undefined,
+      forceOverrideProfile,
       selectionSeed: ctx.conversationId,
     }).contextWindow,
     currentEffectiveContextWindow,
@@ -322,11 +391,13 @@ export async function runAgentLoopImpl(
         llm: config.llm,
         callSite: turnCallSite,
         overrideProfile: currentOverrideProfile,
+        forceOverrideProfile,
         selectionSeed: ctx.conversationId,
       });
       currentContextWindowConfig = contextWindowConfigFromEffective(
         resolveCallSiteConfig(turnCallSite, config.llm, {
           overrideProfile: currentOverrideProfile,
+          forceOverrideProfile,
           selectionSeed: ctx.conversationId,
         }).contextWindow,
         currentEffectiveContextWindow,
@@ -892,21 +963,36 @@ export async function runAgentLoopImpl(
       msgs: Message[],
       compactInPlace = false,
     ): Promise<Message[]> => {
-      const { history, exitReason, newMessages } = await ctx.agentLoop.run({
-        messages: msgs,
-        onEvent: eventHandler,
-        signal: abortController.signal,
-        requestId: reqId,
-        onCheckpoint,
-        callSite: turnCallSite,
-        trust: loopTrust,
-        overrideProfile: turnOverrideProfile,
-        resolveOverrideProfile: resolveCurrentOverrideProfile,
-        resolveContextWindow,
-        compactInPlace,
-        isNonInteractive,
-        modelProfileKey,
-      });
+      const watchdogMs = ctx.abortWatchdogMs ?? ABORT_WATCHDOG_MS;
+      const { history, exitReason, newMessages } = await withAbortWatchdog(
+        ctx.agentLoop.run({
+          messages: msgs,
+          onEvent: eventHandler,
+          signal: abortController.signal,
+          requestId: reqId,
+          onCheckpoint,
+          callSite: turnCallSite,
+          trust: loopTrust,
+          overrideProfile: turnOverrideProfile,
+          ...(forceOverrideProfile ? { forceOverrideProfile: true } : {}),
+          resolveOverrideProfile: resolveCurrentOverrideProfile,
+          resolveContextWindow,
+          compactInPlace,
+          isNonInteractive,
+          modelProfileKey,
+        }),
+        abortController.signal,
+        watchdogMs,
+        () =>
+          rlog.error(
+            {
+              conversationId: ctx.conversationId,
+              requestId: reqId,
+              timeoutMs: watchdogMs,
+            },
+            "Abort watchdog fired — agent loop did not settle after cancel; forcing turn to finally",
+          ),
+      );
       lastRunNewMessages = newMessages;
       if (exitReason === "handoff") {
         yieldedForHandoff = true;
@@ -1439,6 +1525,12 @@ export async function runAgentLoopImpl(
 
     ctx.profiler.emitSummary(ctx.traceEmitter, reqId);
 
+    // Tear down this turn's per-turn state. Abort reliably drives the loop to
+    // this `finally` within a bounded time — cooperative signal propagation
+    // (provider fetch + tool race) backed by the abort watchdog — so a
+    // cancelled turn always unwinds before any resend can start a new one.
+    // There is therefore only ever one turn alive, and clearing the shared
+    // state below cannot clobber a concurrent turn.
     ctx.abortController = null;
     ctx.setProcessing(false);
     ctx.onConfirmationOutcome = undefined;
@@ -1578,9 +1670,9 @@ export async function applyCompactionResult(
   // in-context boundary rather than the raw mirror so the persisted count
   // stays consistent with what the new summary represents and never
   // double-counts an unsliced untrusted view.
-  const inContextCompactedCount = isUntrustedTrustClass(
+  const inContextCompactedCount = !resolveCapabilities(
     ctx.trustContext?.trustClass,
-  )
+  ).canAccessMemory
     ? 0
     : ctx.contextCompactedMessageCount;
   ctx.contextCompactedMessageCount =
@@ -1657,10 +1749,10 @@ function collapseRawResponses(rawResponses?: unknown[]): unknown | undefined {
 
 /**
  * Matches any runtime-injection tag that should never appear inside a
- * generated summary. If the regex hits, either the compaction strip logic
- * failed to drop an injected block from the summarizer input, or the
- * summarizer invented tag-like text on its own — both are quality bugs
- * worth surfacing via telemetry.
+ * generated summary. A hit means the summary echoed an injection tag —
+ * either parroted from history the summarizer read or invented outright.
+ * The durable summary should be clean prose, so the match is surfaced via
+ * telemetry.
  */
 const SUMMARY_MEMORY_ECHO_PATTERN =
   /<(?:memory|memory_context|memory_image|turn_context|workspace|workspace_top_level|knowledge_base|pkb|system_reminder|now_scratchpad|NOW\.md|active_thread|active_subagents|active_workspace|active_dynamic_page|channel_capabilities|transport_hints|system_notice|non_interactive_context|temporal_context|guardian_context|inbound_actor_context|channel_turn_context|interface_turn_context|channel_command_context|voice_call_control)\b/i;

package/src/daemon/conversation-history.ts

@@ -23,7 +23,7 @@ const log = getLogger("conversation-history");
 
 // ── Helpers ──────────────────────────────────────────────────────────
 
-function isToolResultBlock(
+export function isToolResultBlock(
   block: ContentBlock | Record<string, unknown>,
 ): boolean {
   return (

package/src/daemon/conversation-lifecycle.ts

@@ -16,10 +16,8 @@ import type { PermissionPrompter } from "../permissions/prompter.js";
 import type { SecretPrompter } from "../permissions/secret-prompter.js";
 import { disposeContextWindowManager } from "../plugins/defaults/compaction/manager-store.js";
 import type { ContentBlock, Message } from "../providers/types.js";
-import {
-  isUntrustedTrustClass,
-  type TrustClass,
-} from "../runtime/actor-trust-resolver.js";
+import { type TrustClass } from "../runtime/actor-trust-resolver.js";
+import { resolveCapabilities } from "../runtime/capabilities.js";
 import { unregisterConversationSender } from "../tools/browser/browser-screencast.js";
 import { type AbortReason, createAbortReason } from "../util/abort-reasons.js";
 import { getLogger } from "../util/logger.js";
@@ -147,7 +145,7 @@ export function disposeConversation(ctx: DisposeContext): void {
   // Trigger graph extraction for end-of-conversation sweep.
   // Only extract from guardian conversations to preserve the memory trust
   // boundary — untrusted content must not influence future memory retrieval.
-  if (!isUntrustedTrustClass(ctx.trustContext?.trustClass)) {
+  if (resolveCapabilities(ctx.trustContext?.trustClass).canAccessMemory) {
     // Recursion guard: skip graph_extract for auto-analysis conversations.
     // The analysis agent writes memory directly via tools, so extracting
     // from its reflective musings would double-write into the memory graph.

package/src/daemon/conversation-process.ts

@@ -28,7 +28,10 @@ import {
 import { extractPreferences } from "../notifications/preference-extractor.js";
 import { createPreference } from "../notifications/preferences-store.js";
 import type { ContextWindowResult } from "../plugins/defaults/compaction/window-manager.js";
-import { routeGuardianReply } from "../runtime/guardian-reply-router.js";
+import {
+  type GuardianPendingScope,
+  routeGuardianReply,
+} from "../runtime/guardian-reply-router.js";
 import { publishConversationMessagesChanged } from "../runtime/sync/resource-sync-events.js";
 import { getLogger } from "../util/logger.js";
 import type { CleanResult, Conversation } from "./conversation.js";
@@ -153,7 +156,7 @@ function resolveQueuedTurnInterfaceContext(
 }
 
 /** Build a SlashContext from the current conversation state and config. */
-function buildSlashContext(
+export function buildSlashContext(
   content: string,
   conversation: Conversation,
 ): SlashContext | undefined {
@@ -1407,9 +1410,14 @@ export async function processMessage(
           "vellum",
         ).map((request) => request.id)
       : [];
-  const canonicalPendingRequestIdsForConversation =
+  // Empty hints → leave the scope unset (identity-fallback): the desktop
+  // guardian can still resolve their pending work by identity/principal.
+  const pendingScope: GuardianPendingScope | undefined =
     canonicalPendingRequestHintIdsForConversation.length > 0
-      ? canonicalPendingRequestHintIdsForConversation
+      ? {
+          mode: "scoped",
+          requestIds: canonicalPendingRequestHintIdsForConversation,
+        }
       : undefined;
 
   // ── Canonical guardian reply router (desktop/conversation path) ──
@@ -1428,7 +1436,7 @@ export async function processMessage(
           conversation.trustContext?.guardianPrincipalId ?? undefined,
       },
       conversationId: conversation.conversationId,
-      pendingRequestIds: canonicalPendingRequestIdsForConversation,
+      pendingScope,
       // Desktop path: disable NL classification to avoid consuming non-decision
       // messages while a tool confirmation is pending. Deterministic code-prefix
       // and callback parsing remain active.