@vellumai/assistant 0.9.0 → 0.10.0-staging.2

package/src/daemon/handlers/conversations.ts

@@ -3,14 +3,21 @@ import { v4 as uuid } from "uuid";
 import { clearAll, getConversation } from "../../memory/conversation-crud.js";
 import { resolveConversationId } from "../../memory/conversation-key-store.js";
 import { broadcastMessage } from "../../runtime/assistant-event-hub.js";
+import { resolveCapabilities } from "../../runtime/capabilities.js";
 import { getSubagentManager } from "../../subagent/index.js";
 import { createAbortReason } from "../../util/abort-reasons.js";
+import { UserError } from "../../util/errors.js";
 import { truncate } from "../../util/truncate.js";
 import { regenerate } from "../conversation-history.js";
+import {
+  buildSlashContext,
+  formatCleanResult,
+} from "../conversation-process.js";
 import {
   conversationEntries,
   findConversation,
 } from "../conversation-registry.js";
+import { resolveSlash } from "../conversation-slash.js";
 import {
   clearAllActiveConversations,
   getOrCreateConversation,
@@ -18,6 +25,7 @@ import {
 } from "../conversation-store.js";
 import type { ConfirmationResponse } from "../message-protocol.js";
 import { normalizeConversationType } from "../message-protocol.js";
+import { INTERNAL_GUARDIAN_TRUST_CONTEXT } from "../trust-context.js";
 import { log } from "./shared.js";
 
 export function handleConfirmationResponse(msg: ConfirmationResponse): void {
@@ -98,6 +106,12 @@ export function cancelGeneration(conversationId: string): boolean {
   // being cancelled, so enqueuing synthetic messages would trigger
   // unwanted model activity after the user pressed stop.
   getSubagentManager().abortAllForParent(conversationId);
+  // The processing flag is cleared by the in-flight turn's `finally`, not here.
+  // Abort propagates into the provider call and tool execution (and is backed
+  // by the agent loop's abort watchdog), so the turn reaches its `finally`
+  // within a bounded time and tears down its own state there — which publishes
+  // the metadata sync invalidation that drives clients to the authoritative
+  // idle state.
   return true;
 }
 
@@ -118,6 +132,99 @@ export async function undoLastMessage(
   const removedCount = conversation.undo();
   return { removedCount };
 }
+
+export interface MetaSlashCommandResult {
+  kind: "clean" | "info";
+  /** User-facing text to render (clean stats card or info listing). */
+  text: string;
+  /** Present for `/clean`: the post-strip context-window usage. */
+  contextUsage?: {
+    tokens: number;
+    maxTokens: number | null;
+    fillRatio: number | null;
+  };
+}
+
+/**
+ * Resolve a local meta slash command (`/clean`, `/status`, `/commands`,
+ * `/models`) for a conversation without running a turn: no user/assistant
+ * messages are persisted and no streaming/turn events are emitted. `/clean`
+ * additionally strips runtime injections via `forceClean`.
+ *
+ * Returns null if the conversation cannot be resolved. Throws `UserError` for
+ * commands that are not local meta commands (`/compact`, passthrough) — those
+ * must be sent as a normal message so they run a real turn.
+ */
+export async function resolveMetaSlashCommand(
+  conversationId: string,
+  command: string,
+): Promise<MetaSlashCommandResult | null> {
+  const resolvedId = resolveConversationId(conversationId);
+  if (!resolvedId) {
+    return null;
+  }
+  const conversation = await getOrCreateConversation(resolvedId);
+  touchConversation(resolvedId);
+
+  // Meta commands reload (and, for `/clean`, strip) the in-memory history
+  // array. Running that against an in-flight turn would corrupt the messages
+  // the active agent loop is iterating over, and mutating trustContext would
+  // elevate that turn's actor trust to guardian for subsequent tool calls.
+  if (conversation.isProcessing()) {
+    throw new UserError(
+      `\`${command.trim()}\` cannot run while the assistant is responding.`,
+    );
+  }
+
+  // Owner self-maintenance operates on the full (guardian) history. Without a
+  // trusted context, `loadFromDb` filters to non-guardian provenance — so a
+  // guardian-authored conversation would report 0 preserved / 0 messages.
+  // Temporarily apply the guardian context for hydration and restore it
+  // afterward so the elevated class never leaks into a later turn's snapshot.
+  const priorTrustContext = conversation.trustContext;
+  if (!resolveCapabilities(priorTrustContext?.trustClass).canAccessMemory) {
+    conversation.setTrustContext(INTERNAL_GUARDIAN_TRUST_CONTEXT);
+  }
+  try {
+    await conversation.ensureActorScopedHistory();
+
+    const slashResult = await resolveSlash(
+      command,
+      buildSlashContext(command, conversation),
+    );
+
+    if (slashResult.kind === "clean") {
+      const result = await conversation.forceClean();
+      return {
+        kind: "clean",
+        text: formatCleanResult(result),
+        contextUsage: {
+          tokens: result.estimatedInputTokens,
+          maxTokens: result.maxInputTokens,
+          fillRatio:
+            result.maxInputTokens > 0
+              ? result.estimatedInputTokens / result.maxInputTokens
+              : null,
+        },
+      };
+    }
+
+    if (slashResult.kind === "unknown") {
+      return { kind: "info", text: slashResult.message };
+    }
+
+    // `compact` / `passthrough` are real turns, not local meta commands.
+    throw new UserError(`\`${command.trim()}\` is not a local meta command.`);
+  } finally {
+    // Only undo the temporary guardian context this handler installed. If a
+    // new turn started at an `await` boundary and legitimately updated
+    // trustContext, the reference will differ and we leave it alone.
+    if (conversation.trustContext === INTERNAL_GUARDIAN_TRUST_CONTEXT) {
+      conversation.setTrustContext(priorTrustContext ?? null);
+    }
+  }
+}
+
 /**
  * Regenerate the last assistant response for a conversation. The caller provides
  * a `sendEvent` callback for delivering streaming events via HTTP/SSE.

package/src/daemon/host-browser-proxy.ts

@@ -9,6 +9,7 @@ import * as pendingInteractions from "../runtime/pending-interactions.js";
 import type { ToolExecutionResult } from "../tools/types.js";
 import { AssistantError, ErrorCode } from "../util/errors.js";
 import { getLogger } from "../util/logger.js";
+import { sleep } from "../util/retry.js";
 import type { HostBrowserRequest } from "./message-types/host-browser.js";
 
 /** Distributive omit that preserves union variant fields. */
@@ -24,6 +25,16 @@ export type HostBrowserInput = DistributiveOmit<
 
 const log = getLogger("host-browser-proxy");
 
+/**
+ * Grace window for a flapping extension SSE connection. The Chrome
+ * extension's stream can briefly drop and reconnect (MV3 service-worker
+ * churn); without a short wait, a dispatch landing in a "down" blip
+ * hard-fails even though the extension is effectively connected. Well
+ * under the request-layer timeout (default 30s).
+ */
+const EXTENSION_RECONNECT_GRACE_MS = 3_000;
+const EXTENSION_RECONNECT_POLL_MS = 250;
+
 /**
  * Extension-only pseudo-CDP methods (Vellum.listTabs, Vellum.selectTab,
  * Vellum.closeTab, Vellum.createTab, Vellum.findTab, Vellum.attach,
@@ -196,6 +207,36 @@ export class HostBrowserProxy {
     );
   }
 
+  /**
+   * Poll until the extension client that dispatch will route to is
+   * connected, or `timeoutMs` elapses. Absorbs brief SSE reconnect blips
+   * so extension-pinned dispatch doesn't hard-fail on a momentary gap.
+   *
+   * When `targetClientId` is supplied, waits for that *exact* client —
+   * `request()` resolves the target by id, so waiting for any sibling
+   * extension (multi-install setups) would return early and still fail.
+   * Otherwise waits for any extension owned by the actor, matching the
+   * auto-resolution preference. Returns the final availability; callers
+   * proceed to dispatch regardless (which still surfaces the typed "no
+   * Chrome Extension connected" error if absent).
+   */
+  async waitForExtensionClient(
+    sourceActorPrincipalId?: string,
+    targetClientId?: string,
+    timeoutMs = EXTENSION_RECONNECT_GRACE_MS,
+  ): Promise<boolean> {
+    const connected = () =>
+      targetClientId != null
+        ? assistantEventHub.getClientById(targetClientId) !== undefined
+        : this.hasExtensionClient(sourceActorPrincipalId);
+    const deadline = Date.now() + timeoutMs;
+    for (;;) {
+      if (connected()) return true;
+      if (Date.now() >= deadline) return false;
+      await sleep(EXTENSION_RECONNECT_POLL_MS);
+    }
+  }
+
   /**
    * Send a host_browser request to the connected extension/macOS bridge.
    *

package/src/daemon/lifecycle.ts

@@ -20,6 +20,7 @@ import {
 import { loadConfig, mergeDefaultWorkspaceConfig } from "../config/loader.js";
 import type { AssistantConfig } from "../config/schema.js";
 import { seedInferenceProfiles } from "../config/seed-inference-profiles.js";
+import { reconcileFlagGatedProfiles } from "../config/sync-gated-profiles.js";
 import type { CesClient } from "../credential-execution/client.js";
 import { createCesClient } from "../credential-execution/client.js";
 import { refreshManagedConnectionCache } from "../credential-execution/managed-catalog.js";
@@ -60,6 +61,10 @@ import { sweepConceptPageFrontmatter } from "../memory/v2/frontmatter-sweep.js";
 import { emitNotificationSignal } from "../notifications/emit-signal.js";
 import { backfillManualTokenConnections } from "../oauth/manual-token-connection.js";
 import { seedOAuthProviders } from "../oauth/seed-providers.js";
+import {
+  startConsentRefresh,
+  stopConsentRefresh,
+} from "../platform/consent-cache.js";
 import { ensurePromptFiles } from "../prompts/system-prompt.js";
 import { runProviderConnectionsBackfill } from "../providers/inference/backfill.js";
 import { resolveManagedProxyContext } from "../providers/platform-proxy/context.js";
@@ -71,7 +76,10 @@ import {
 import { RuntimeHttpServer } from "../runtime/http-server.js";
 import { recoverInterruptedImport } from "../runtime/migrations/vbundle-streaming-importer.js";
 import { registerSecretsDeps } from "../runtime/routes/secrets-deps.js";
-import { publishConversationListChanged } from "../runtime/sync/resource-sync-events.js";
+import {
+  publishConfigChanged,
+  publishConversationListChanged,
+} from "../runtime/sync/resource-sync-events.js";
 import { recoverStaleSchedules } from "../schedule/schedule-recovery.js";
 import { startScheduler } from "../schedule/scheduler.js";
 import {
@@ -130,6 +138,7 @@ import {
 } from "./providers-setup.js";
 import { DaemonServer } from "./server.js";
 import { installShutdownHandlers } from "./shutdown-handlers.js";
+import { registerShutdownHook } from "./shutdown-registry.js";
 import { refreshSkillCapabilityMemories } from "./skill-memory-refresh.js";
 
 const log = getLogger("lifecycle");
@@ -284,9 +293,10 @@ export async function runDaemon(): Promise<void> {
   log.info({ version: APP_VERSION }, "Daemon starting");
 
   try {
-    // Initialize crash reporting eagerly so early startup failures are
-    // captured. After config loads we check the opt-out flag and call
-    // closeSentry() if the user has disabled it.
+    // Initialize crash reporting eagerly so the Sentry client is ready before
+    // early startup failures occur. Events are dropped (beforeSend) until the
+    // consent gate below confirms share_diagnostics opt-in; dev mode and the
+    // legacy local opt-out hard-disable via closeSentry().
     initSentry();
 
     ensureDataDir();
@@ -365,8 +375,23 @@ export async function runDaemon(): Promise<void> {
     // this fetch completes, so without this follow-up sync a flag-enabled
     // assistant would not expose the gated tools until a restart (which can lose
     // the same race). Enable-direction only; chained so it sees the fresh cache.
+    // Then reconcile flag-gated managed profiles (OS Beta): `seedInferenceProfiles()`
+    // runs synchronously earlier in boot before flags are available, so this lands
+    // the profile on the same boot once the flag cache is populated. When this
+    // reconcile is the call that mutates config (it raced ahead of the gateway
+    // flag listener), publish the config invalidation so any client that already
+    // fetched `GET /v1/config` refreshes its profile picker.
+    // Profiles are reconciled only when flags actually loaded from the gateway:
+    // a failed fetch leaves the cache unset and resolves `os-beta` to its
+    // registry default `false`, which would remove the user's profile and reset
+    // their selection. Tool sync tolerates the default and stays unconditional.
     void initFeatureFlagOverrides()
-      .then(() => syncFlagGatedTools())
+      .then(async (loaded) => {
+        await syncFlagGatedTools();
+        if (loaded && reconcileFlagGatedProfiles()) {
+          publishConfigChanged();
+        }
+      })
       .catch((err) => log.warn({ err }, "Background feature flag init failed"));
 
     startGatewayFlagListener();
@@ -636,22 +661,27 @@ export async function runDaemon(): Promise<void> {
       });
     }
 
-    // Privacy gating: Sentry crash/error reporting is gated by sendDiagnostics,
-    // while the usage telemetry reporter re-checks collectUsageData on every
-    // flush. Both are disabled in dev mode. Early-startup crashes before this
-    // point are still captured.
+    // Privacy gating: Sentry crash/error reporting follows the platform owner's
+    // share_diagnostics consent; the usage telemetry reporter re-checks
+    // share_analytics on every flush. Both are disabled in dev mode. Sentry was
+    // initialized early, but beforeSend re-reads getCachedShareDiagnostics() on
+    // every event, so it drops events until consent confirms opt-in and honors a
+    // later revocation within one refresh cycle (the cache is refreshed by
+    // startConsentRefresh() below, mirroring the share_analytics posture).
     const isDevMode = process.env.VELLUM_DEV === "1";
-    const sendDiagnostics = !isDevMode && config.sendDiagnostics;
-    if (!sendDiagnostics) {
+    if (isDevMode || config.legacyDiagnosticsOptOut === true) {
+      // Dev mode and a preserved legacy local opt-out both disable Sentry
+      // unconditionally, without waiting on platform consent.
       await closeSentry();
     }
 
     // Construct and start the reporter even when usage collection is disabled:
-    // flush() re-checks collectUsageData each cycle and, when opted out, sends
-    // nothing but advances all watermarks (including the final flush in
-    // stop()). New opted-out tool_invocations rows are already unreportable by
-    // construction — the audit listener persists NULL telemetry columns for
-    // them, which the tool_executed projection filters out — so the opted-out
+    // flush() re-checks the platform share_analytics consent each cycle and,
+    // when opted out, sends nothing but advances all watermarks (including the
+    // final flush in stop()). New opted-out tool_invocations rows are already
+    // unreportable by construction — the audit listener persists NULL telemetry
+    // columns for them, which the tool_executed projection filters out — so the
+    // opted-out
     // flushes are defense in depth there (covering rows recorded under builds
     // that predate that write-time gate) and remain the primary guard for the
     // always-on tables without a write-time gate (llm_usage, turn events).
@@ -665,12 +695,17 @@ export async function runDaemon(): Promise<void> {
       telemetryReporter = new UsageTelemetryReporter();
       setUsageTelemetryReporter(telemetryReporter);
       telemetryReporter.start();
-      log.info(
-        { collectUsageData: config.collectUsageData },
-        "Usage telemetry reporter started",
-      );
+      log.info("Usage telemetry reporter started");
     }
 
+    // Refresh the consent cache regardless of dev mode so record-time telemetry
+    // writes (gated on getCachedShareAnalytics()) work in dev too. The reporter
+    // flush stays dev-gated above, so dev still never sends telemetry to the
+    // platform. Fire-and-forget: startConsentRefresh() runs an immediate
+    // non-blocking refresh, so the startup hot path is never blocked.
+    startConsentRefresh();
+    registerShutdownHook("consent-cache", () => stopConsentRefresh());
+
     // CES lifecycle — kick off early so CES handshake runs concurrently with
     // provider/tool initialization. The CES sidecar accepts exactly one
     // bootstrap connection, so startup must happen at the process level.
@@ -1281,13 +1316,6 @@ export async function runDaemon(): Promise<void> {
       log.warn({ err }, "Assistant symlink installation failed — continuing");
     }
 
-    // Seed preloaded apps (personal landing page) in background (non-blocking).
-    void import("../memory/preloaded-apps.js")
-      .then(({ seedPreloadedApps }) => seedPreloadedApps(config))
-      .catch((err) =>
-        log.warn({ err }, "Preloaded app seeding failed — continuing"),
-      );
-
     // Download embedding runtime in background (non-blocking).
     // If download fails, local embeddings gracefully fall back to cloud backends.
     void (async () => {

package/src/daemon/message-provenance.ts

@@ -26,6 +26,7 @@ export function parseProvenanceTrustClass(
     if (
       trustClass === "guardian" ||
       trustClass === "trusted_contact" ||
+      trustClass === "unverified_contact" ||
       trustClass === "unknown"
     ) {
       return trustClass;
@@ -43,6 +44,7 @@ export function filterMessagesForUntrustedActor(
     const provenanceTrustClass = parseProvenanceTrustClass(m.metadata);
     return (
       provenanceTrustClass === "trusted_contact" ||
+      provenanceTrustClass === "unverified_contact" ||
       provenanceTrustClass === "unknown"
     );
   });

package/src/daemon/message-types/contacts.ts

@@ -54,7 +54,6 @@ export interface ContactChannelPayload {
   type: string;
   address: string;
   isPrimary: boolean;
-  externalUserId?: string;
   status: string;
   policy: string;
   verifiedAt?: number;

package/src/daemon/message-types/conversations.ts

@@ -462,9 +462,9 @@ export interface ContextCompacted {
    * - `summaryCharCount`: length of the produced summary text.
    * - `summaryHeaderCount`: number of `## ` section headers in the summary.
    * - `summaryHadMemoryEcho`: `true` if the summary contains any runtime
-   *   injection tag (e.g. `<memory`, `<turn_context>`, `<workspace>`).
-   *   Should always be `false` — `true` indicates the compaction strip
-   *   logic failed to remove an injected block from the summarizer input.
+   *   injection tag (e.g. `<memory`, `<turn_context>`, `<workspace>`). The
+   *   durable summary should be clean prose, so `true` flags an echoed or
+   *   invented tag worth investigating.
    */
   summaryCharCount?: number;
   summaryHeaderCount?: number;

package/src/daemon/message-types/sync.ts

@@ -10,7 +10,6 @@ export { type SyncChangedEvent, SyncChangedEventSchema };
 export const SYNC_TAGS = {
   assistantAvatar: "assistant:self:avatar",
   assistantIdentity: "assistant:self:identity",
-  assistantIdentityIntro: "assistant:self:identity-intro",
   assistantConfig: "assistant:self:config",
   assistantSounds: "assistant:self:sounds",
   assistantSchedules: "assistant:self:schedules",

package/src/daemon/message-types/web-activity.ts

@@ -9,7 +9,11 @@ export type WebSearchProviderId =
   | "anthropic-native"
   | "brave"
   | "perplexity"
-  | "tavily";
+  | "tavily"
+  | "firecrawl";
+
+/** Provider that backed a `web_fetch` call. `default` is the built-in fetcher. */
+export type WebFetchProviderId = "default" | "firecrawl";
 
 export interface WebSearchResultItem {
   rank: number; // 1-indexed
@@ -35,6 +39,8 @@ export interface WebSearchMetadata {
 export interface WebFetchMetadata {
   url: string;
   finalUrl: string;
+  /** Provider that served the fetch. Defaults to the built-in fetcher. */
+  provider?: WebFetchProviderId;
   status: number;
   contentType?: string;
   byteCount: number;

package/src/daemon/message-types/workflows.ts

@@ -18,6 +18,13 @@ import type { WorkflowRunStatus } from "../../workflows/journal-store.js";
 export interface WorkflowProgress {
   type: "workflow_progress";
   runId: string;
+  /**
+   * Originating conversation id, when launched from one; lets `broadcastMessage`
+   * auto-scope + seq-stamp the event to that conversation's SSE stream. Omitted
+   * for a conversationless run (e.g. a scheduled workflow), which broadcasts
+   * unscoped for raw SSE listeners and the DB record.
+   */
+  conversationId?: string;
   /** Latest phase title, when this emission came from a `phase(...)` call. */
   phase?: string;
   /** Run label (the workflow's `meta.name`), for client display. */
@@ -36,6 +43,13 @@ export interface WorkflowProgress {
 export interface WorkflowCompleted {
   type: "workflow_completed";
   runId: string;
+  /**
+   * Originating conversation id, when launched from one; lets `broadcastMessage`
+   * auto-scope + seq-stamp the event to that conversation's SSE stream. Omitted
+   * for a conversationless run (e.g. a scheduled workflow), which broadcasts
+   * unscoped for raw SSE listeners and the DB record.
+   */
+  conversationId?: string;
   status: WorkflowRunStatus;
   agentsSpawned: number;
   inputTokens: number;
@@ -44,6 +58,74 @@ export interface WorkflowCompleted {
   summary?: string;
 }
 
+/**
+ * A workflow run has started. Emitted once at launch, before any leaf events.
+ */
+export interface WorkflowStarted {
+  type: "workflow_started";
+  runId: string;
+  /**
+   * Originating conversation id; lets `broadcastMessage` auto-scope +
+   * seq-stamp the event to the conversation's SSE stream.
+   */
+  conversationId: string;
+  /**
+   * Tool-use id of the `skill_execute` block that launched this run, for
+   * anchoring the inline workflow card to the exact spawn tool call.
+   */
+  toolUseId?: string;
+  /** Run label (the workflow's `meta.name`), for client display. */
+  label?: string;
+}
+
+/**
+ * A leaf agent within a workflow run has started. `seq` orders leaves within
+ * the run for stable client-side tree placement.
+ */
+export interface WorkflowLeafStarted {
+  type: "workflow_leaf_started";
+  runId: string;
+  /**
+   * Originating conversation id; lets `broadcastMessage` auto-scope +
+   * seq-stamp the event to the conversation's SSE stream.
+   */
+  conversationId: string;
+  seq: number;
+  /** Leaf label, for client display. */
+  label?: string;
+  /** Phase the leaf belongs to, when the workflow declares phases. */
+  phase?: string;
+  /** Short summary of the leaf's prompt, for client display. */
+  promptSummary?: string;
+}
+
+/**
+ * A leaf agent within a workflow run has finished. `seq` matches the
+ * corresponding `workflow_leaf_started` event.
+ */
+export interface WorkflowLeafFinished {
+  type: "workflow_leaf_finished";
+  runId: string;
+  /**
+   * Originating conversation id; lets `broadcastMessage` auto-scope +
+   * seq-stamp the event to the conversation's SSE stream.
+   */
+  conversationId: string;
+  seq: number;
+  status: "completed" | "failed";
+  /** Leaf label, for client display. */
+  label?: string;
+  inputTokens?: number;
+  outputTokens?: number;
+  /** Short summary of the leaf's result, for client display. */
+  resultSummary?: string;
+}
+
 // --- Domain-level union aliases (consumed by the barrel file) ---
 
-export type _WorkflowsServerMessages = WorkflowProgress | WorkflowCompleted;
+export type _WorkflowsServerMessages =
+  | WorkflowProgress
+  | WorkflowCompleted
+  | WorkflowStarted
+  | WorkflowLeafStarted
+  | WorkflowLeafFinished;

package/src/daemon/orphan-reaper.test.ts

@@ -21,7 +21,6 @@ mock.module("../util/logger.js", () => ({
 }));
 
 const { parseProcStat, selectReapable } = await import("./orphan-reaper.js");
-const { DaemonConfigSchema } = await import("../config/schemas/platform.js");
 
 describe("parseProcStat", () => {
   test("parses a normal stat line", () => {
@@ -89,24 +88,6 @@ describe("selectReapable", () => {
   });
 });
 
-describe("daemon.reapOrphanedSubprocesses gate", () => {
-  test("defaults to off so the reaper is opt-in", () => {
-    // GIVEN a daemon config with the reaper flag unspecified
-    // WHEN it is parsed with schema defaults
-    const parsed = DaemonConfigSchema.parse({});
-    // THEN the reaper is disabled unless explicitly turned on
-    expect(parsed.reapOrphanedSubprocesses).toBe(false);
-  });
-
-  test("honors an explicit opt-in", () => {
-    // GIVEN a daemon config that explicitly enables the reaper
-    // WHEN it is parsed
-    const parsed = DaemonConfigSchema.parse({ reapOrphanedSubprocesses: true });
-    // THEN the flag is respected
-    expect(parsed.reapOrphanedSubprocesses).toBe(true);
-  });
-});
-
 // ── Integration: real reparented orphan on Linux ────────────────────────────
 const itLinux = process.platform === "linux" ? test : test.skip;
 

package/src/daemon/orphan-reaper.ts

@@ -26,9 +26,7 @@
  * macOS dev, or if an init such as tini is ever placed above the daemon),
  * orphans reparent to that init and are reaped there, so there is nothing for
  * this to do. Because the daemon is PID 1, orphans already reparent to it and
- * `PR_SET_CHILD_SUBREAPER` is unnecessary. It is additionally gated behind the
- * `daemon.reapOrphanedSubprocesses` config flag (default off) so the behavior
- * can be enabled per workspace for validation before becoming the default.
+ * `PR_SET_CHILD_SUBREAPER` is unnecessary.
  *
  * References:
  * - libuv reaps its own children by pid on SIGCHLD (`uv__wait_children`):
@@ -42,7 +40,6 @@
 import { readdirSync, readFileSync } from "node:fs";
 import { dlopen, FFIType, ptr } from "bun:ffi";
 
-import { getConfigReadOnly } from "../config/loader.js";
 import { getLogger } from "../util/logger.js";
 
 const log = getLogger("orphan-reaper");
@@ -192,22 +189,9 @@ function reapScan(): void {
   }
 }
 
-/**
- * Read the opt-in gate from workspace config (`daemon.reapOrphanedSubprocesses`),
- * tolerating a missing or malformed config so startup never fails on it.
- */
-function isReaperEnabled(): boolean {
-  try {
-    return getConfigReadOnly().daemon.reapOrphanedSubprocesses;
-  } catch {
-    return false;
-  }
-}
-
 /**
  * Start the periodic orphan reaper. No-op unless the daemon is PID 1 on Linux
- * (otherwise reparented orphans are reaped by the real init) and the
- * `daemon.reapOrphanedSubprocesses` config gate is enabled.
+ * (otherwise reparented orphans are reaped by the real init).
  */
 export function startOrphanReaper(): void {
   if (scanTimer) return;
@@ -218,12 +202,6 @@ export function startOrphanReaper(): void {
     );
     return;
   }
-  if (!isReaperEnabled()) {
-    log.info(
-      "Orphan reaper not started: daemon.reapOrphanedSubprocesses is disabled",
-    );
-    return;
-  }
   if (!initWaitpid()) return;
   seenLastScan = new Set();
   scanTimer = setInterval(reapScan, SCAN_INTERVAL_MS);

package/src/daemon/server.ts

@@ -19,7 +19,6 @@ import {
   publishAvatarChanged,
   publishConfigChanged,
   publishIdentityChanged,
-  publishIdentityIntroChanged,
   publishSoundsConfigUpdated,
 } from "../runtime/sync/resource-sync-events.js";
 import { updatePublishedAppDeployment } from "../services/published-app-updater.js";
@@ -193,14 +192,6 @@ export class DaemonServer {
     }
   }
 
-  private broadcastIdentityIntroChanged(): void {
-    try {
-      publishIdentityIntroChanged();
-    } catch (err) {
-      log.error({ err }, "Failed to broadcast identity intro change");
-    }
-  }
-
   /** Best-effort sync of the IDENTITY.md name to the platform record. */
   private syncIdentityToPlatform(): void {
     try {
@@ -313,7 +304,6 @@ export class DaemonServer {
       () => this.broadcastAvatarUpdated(),
       () => this.broadcastConfigChanged(),
       () => refreshSkillCapabilityMemories(getConfig()),
-      () => this.broadcastIdentityIntroChanged(),
     );
 
     this.syncIdentityToPlatform();

package/src/daemon/tool-setup-types.ts

@@ -88,6 +88,10 @@ export interface ToolSetupContext extends SurfaceConversationContext {
   taskRunId?: string;
   /** Guardian runtime context for the conversation — trustClass is propagated into ToolContext for control-plane policy enforcement. */
   trustContext?: TrustContext;
+  /** Per-turn trust snapshot, captured at turn start. Preferred over the live
+   *  `trustContext` for mid-turn trust decisions (tool approval, control-plane
+   *  policy) so a concurrent mutation cannot elevate the in-flight turn. */
+  currentTurnTrustContext?: TrustContext;
   /** Voice/call session ID, if the conversation originates from a call. Propagated into ToolContext for scoped grant consumption. */
   callSessionId?: string;
   /** The interface ID of the connected client driving the current turn (e.g. "macos", "chrome-extension"). Propagated into ToolContext for browser backend selection. */