@vellumai/assistant 0.9.0 → 0.10.0-staging.2

package/src/tools/subagent/spawn.ts

@@ -1,3 +1,7 @@
+import { validateInferenceProfileKey } from "../../config/inference-profile-validation.js";
+import { resolveDefaultProfileKey } from "../../config/llm-resolver.js";
+import { getConfig } from "../../config/loader.js";
+import { AUTO_PROFILE_KEY } from "../../config/seed-inference-profiles.js";
 import { findConversation } from "../../daemon/conversation-registry.js";
 import { getConversationOverrideProfile } from "../../memory/conversation-crud.js";
 import type { Message } from "../../providers/types.js";
@@ -14,6 +18,7 @@ export async function executeSubagentSpawn(
   const extraContext = input.context as string | undefined;
   const fork = input.fork === true;
   const role = (input.role as string | undefined) ?? undefined;
+  const inferenceProfile = input.inference_profile;
 
   // For fork mode, sendResultToUser defaults to false unless explicitly set to true.
   // For regular mode, sendResultToUser defaults to true (existing behavior).
@@ -28,6 +33,26 @@ export async function executeSubagentSpawn(
     };
   }
 
+  let requestedOverrideProfile: string | undefined;
+  let forceOverrideProfile = false;
+  if (inferenceProfile !== undefined) {
+    if (typeof inferenceProfile !== "string") {
+      return {
+        content: "Error: inference_profile must be a string",
+        isError: true,
+      };
+    }
+    const profileError = validateInferenceProfileKey(inferenceProfile);
+    if (profileError) {
+      return {
+        content: `Error: ${profileError}`,
+        isError: true,
+      };
+    }
+    requestedOverrideProfile = inferenceProfile;
+    forceOverrideProfile = true;
+  }
+
   const manager = getSubagentManager();
   const sendToClient = context.sendToClient as
     | ((msg: { type: string; [key: string]: unknown }) => void)
@@ -75,18 +100,41 @@ export async function executeSubagentSpawn(
   // `SubagentManager.spawn` forwards it back into the subagent's
   // `runAgentLoop` call as `options.overrideProfile`.
   //
-  // Prefer the per-turn `context.overrideProfile` (populated by
-  // `runAgentLoopImpl` from its resolved `turnOverrideProfile`) over a
-  // row read so nested spawns inherit correctly. The current subagent's
-  // own conversation row never has `inferenceProfile` set — its override
-  // arrived via in-memory `SubagentConfig.overrideProfile` — and even if it
-  // were set, `getConversationOverrideProfile` short-circuits for
-  // background conversations and returns `undefined`. Falling back to the
-  // row read preserves behavior for tool calls that originate outside an
-  // agent-loop turn.
-  const inheritedOverrideProfile =
-    context.overrideProfile ??
-    getConversationOverrideProfile(context.conversationId);
+  // Resolution order: an explicit spawn-time profile, then the per-turn
+  // `context.overrideProfile` (populated by `runAgentLoopImpl` from its
+  // resolved `turnOverrideProfile`, covering per-conversation overrides and
+  // tool-routed switches), then a row read, and finally the resolved DEFAULT
+  // profile of the call site that invoked us. That last fallback is what makes
+  // a subagent match its invoker when the invoking turn ran purely on its
+  // call-site default — the workspace `activeProfile` for `mainAgent`, or the
+  // call site's own catalog default (e.g. `cost-optimized`) for a
+  // heartbeat/background invoker. `resolveDefaultProfileKey` does not reflect a
+  // static `llm.callSites.<callSite>` profile override (only the
+  // activeProfile-for-mainAgent path plus the catalog default), a narrow gap
+  // that only surfaces with no `activeProfile` set and a hand-tuned call-site
+  // profile.
+  //
+  // The fallback is forwarded NON-forced, so an explicit
+  // `llm.callSites.subagentSpawn` profile still wins; an explicit
+  // `inference_profile` argument keeps `forceOverrideProfile` and wins
+  // outright. (The row read short-circuits to `undefined` for the background
+  // subagent conversation and for tool calls outside an agent-loop turn.)
+  let inheritedOverrideProfile = requestedOverrideProfile;
+  if (inheritedOverrideProfile === undefined) {
+    const inheritedCandidate =
+      context.overrideProfile ??
+      getConversationOverrideProfile(context.conversationId) ??
+      resolveDefaultProfileKey(
+        context.invokingCallSite ?? "mainAgent",
+        getConfig().llm,
+      );
+    // Skip the metadata-only "auto" key: forwarding it collapses the child to
+    // `llm.default`, whereas the invoker's own auto base IS the `subagentSpawn`
+    // default — so leaving this undefined keeps the child on that default.
+    if (inheritedCandidate !== AUTO_PROFILE_KEY) {
+      inheritedOverrideProfile = inheritedCandidate;
+    }
+  }
 
   try {
     const subagentId = await manager.spawn(
@@ -102,6 +150,7 @@ export async function executeSubagentSpawn(
         ...(inheritedOverrideProfile
           ? { overrideProfile: inheritedOverrideProfile }
           : {}),
+        ...(forceOverrideProfile ? { forceOverrideProfile: true } : {}),
         ...(context.toolUseId ? { parentToolUseId: context.toolUseId } : {}),
         ...forkFields,
       },

package/src/tools/terminal/shell.ts

@@ -4,8 +4,8 @@ import { spawn } from "node:child_process";
 import { getConfig } from "../../config/loader.js";
 import { isCesShellLockdownEnabled } from "../../credential-execution/feature-gates.js";
 import { RiskLevel } from "../../permissions/types.js";
-import { isUntrustedTrustClass } from "../../runtime/actor-trust-resolver.js";
 import { wakeAgentForOpportunity } from "../../runtime/agent-wake.js";
+import { isUntrustedShellLockdownActive } from "../../runtime/effective-capabilities.js";
 import { redactSecrets } from "../../security/secret-scanner.js";
 import { getLogger } from "../../util/logger.js";
 import { getDataDir } from "../../util/platform.js";
@@ -117,9 +117,10 @@ export const shellTool = {
     }
 
     const config = getConfig();
-    const shellLockdownActive =
-      isCesShellLockdownEnabled(config) &&
-      isUntrustedTrustClass(context.trustClass);
+    const shellLockdownActive = isUntrustedShellLockdownActive({
+      trustClass: context.trustClass,
+      lockdownEnabled: isCesShellLockdownEnabled(config),
+    });
 
     const networkMode: "off" | "proxied" =
       input.network_mode === "proxied" ? "proxied" : "off";
@@ -307,6 +308,11 @@ export const shellTool = {
 
     const env = buildSanitizedEnv();
     env.__CONVERSATION_ID = context.conversationId;
+    // Surface the resolving model to assistant CLI commands so they can tailor
+    // remediation guidance for weak open models (see isWeakOpenModel).
+    if (context.attribution?.resolvedModel) {
+      env.__RESOLVED_MODEL = context.attribution.resolvedModel;
+    }
     if (proxyEnv) {
       Object.assign(env, proxyEnv);
     }

package/src/tools/tool-approval-handler.ts

@@ -9,7 +9,7 @@ import {
   isUnparseableToolArgs,
   unparseableToolArgsMessage,
 } from "../providers/unparseable-tool-args.js";
-import { isUntrustedTrustClass } from "../runtime/actor-trust-resolver.js";
+import { resolveCapabilities } from "../runtime/capabilities.js";
 import { createOrReuseToolGrantRequest } from "../runtime/tool-grant-request-helper.js";
 import { redactSecrets } from "../security/secret-scanner.js";
 import { computeToolApprovalDigest } from "../security/tool-approval-digest.js";
@@ -157,7 +157,6 @@ const UI_SURFACE_TOOLS = new Set(["ui_show", "ui_update", "ui_dismiss"]);
 
 function requiresGuardianApprovalForActor(
   toolName: string,
-  input: Record<string, unknown>,
   executionTarget: ExecutionTarget,
 ): boolean {
   // UI surface tools are passive, user-visible operations (cards, forms,
@@ -170,14 +169,14 @@ function requiresGuardianApprovalForActor(
   // Side-effect tools always require guardian approval for untrusted actors.
   // Read-only host execution is also blocked because it can leak sensitive
   // local information (e.g. shell/file reads).
-  return isSideEffectTool(toolName, input) || executionTarget === "host";
+  return isSideEffectTool(toolName) || executionTarget === "host";
 }
 
 function guardianApprovalDeniedMessage(
   trustClass: ToolContext["trustClass"],
   toolName: string,
 ): string {
-  if (trustClass === "unknown") {
+  if (resolveCapabilities(trustClass).sensitiveToolApproval === "deny") {
     return `Permission denied for "${toolName}": this action requires guardian approval from a verified channel identity.`;
   }
   return `Permission denied for "${toolName}": this action requires guardian approval and the current actor is not the guardian.`;
@@ -320,11 +319,14 @@ export class ToolApprovalHandler {
 
     const guardianApprovalRequired = requiresGuardianApprovalForActor(
       name,
-      input,
       executionTarget,
     );
 
-    if (isUntrustedTrustClass(context.trustClass) && guardianApprovalRequired) {
+    if (
+      resolveCapabilities(context.trustClass).sensitiveToolApproval !==
+        "self" &&
+      guardianApprovalRequired
+    ) {
       const inputDigest = computeToolApprovalDigest(name, input);
       needsGrantConsumption = true;
       deferredConsumeParams = {
@@ -532,15 +534,18 @@ export class ToolApprovalHandler {
 
       // No matching grant or race condition - deny or wait inline.
       //
-      // For verified non-guardian actors (trusted_contact) with sufficient
-      // context, escalate to the guardian by creating a canonical
-      // tool_grant_request. Then wait bounded for the grant to become
-      // available - this lets the tool call succeed inline after guardian
-      // approval without the requester having to retry manually.
+      // For non-guardian actors with established identity (trusted_contact
+      // or unverified_contact) and sufficient context, escalate to the
+      // guardian by creating a canonical tool_grant_request. Then wait
+      // bounded for the grant to become available - this lets the tool call
+      // succeed inline after guardian approval without the requester having
+      // to retry manually.
       //
-      // Unverified actors remain fail-closed with no escalation or wait.
+      // Actors with no identity (unknown) remain fail-closed with no
+      // escalation or wait.
       if (
-        context.trustClass === "trusted_contact" &&
+        resolveCapabilities(context.trustClass).sensitiveToolApproval ===
+          "escalate-and-wait" &&
         context.assistantId &&
         context.executionChannel &&
         context.requesterExternalUserId

package/src/tools/tool-manifest.ts

@@ -15,7 +15,6 @@ import { askQuestionTool } from "./ask-question/ask-question-tool.js";
 import { makeAuthenticatedRequestTool } from "./credential-execution/make-authenticated-request.js";
 import { manageSecureCommandTool } from "./credential-execution/manage-secure-command-tool.js";
 import { runAuthenticatedCommandTool } from "./credential-execution/run-authenticated-command.js";
-import { credentialStoreTool } from "./credentials/vault.js";
 import { fileEditTool } from "./filesystem/edit.js";
 import { fileListTool } from "./filesystem/list.js";
 import { fileReadTool } from "./filesystem/read.js";
@@ -90,7 +89,6 @@ export const explicitTools: ToolDefinition[] = [
   // Always-explicit tools
   rememberTool,
   recallTool,
-  credentialStoreTool,
   notifyParentTool,
   askQuestionTool,
   // NOTE: external skill tools (registered via registerExternalTools in

package/src/tools/types.ts

@@ -13,6 +13,7 @@ import { RiskLevel } from "@vellumai/skill-host-contracts";
 import { z } from "zod";
 
 import type { InterfaceId } from "../channels/types.js";
+import type { LLMCallSite } from "../config/schemas/llm.js";
 import type { ToolActivityMetadata } from "../daemon/message-types/web-activity.js";
 import type { SecretPromptResult } from "../permissions/secret-prompter.js";
 import type { ContentBlock } from "../providers/types.js";
@@ -363,6 +364,14 @@ export interface ToolContext {
    * `executeSubagentSpawn` in tools/subagent/spawn.ts.
    */
   overrideProfile?: string;
+  /**
+   * The LLM call site of the turn currently executing this tool (`mainAgent`,
+   * `heartbeatAgent`, scheduled work, etc.). `subagent_spawn` reads it to
+   * default a spawned subagent's inference profile to the profile the invoking
+   * turn resolved to, so subagents match whatever agent invoked them rather
+   * than always falling back to the static `subagentSpawn` call-site default.
+   */
+  invokingCallSite?: LLMCallSite;
   /**
    * Canonical principal ID of the actor on whose behalf this tool invocation
    * is running. Sourced from `conversation.trustContext.guardianPrincipalId`.

package/src/tools/ui-surface/definitions.ts

@@ -8,6 +8,7 @@
  */
 
 import { RiskLevel } from "../../permissions/types.js";
+import { isWeakOpenModel } from "../../providers/weak-open-model.js";
 import { ACTIVATION_MOMENT_PARAMS } from "../../telemetry/activation-funnel.js";
 import type {
   ToolContext,
@@ -37,8 +38,9 @@ function proxyExecute(toolName: string) {
   ): Promise<ToolExecutionResult> => {
     if (toolName === "ui_show" && isEmptyDynamicPage(input)) {
       return {
-        content:
-          "Error: ui_show dynamic_page requires non-empty HTML in `data.html`. The surface was not displayed because no content was provided — the user would see a blank box. Resend ui_show with the full HTML markup in `data.html`.",
+        content: isWeakOpenModel(context.attribution?.resolvedModel)
+          ? EMPTY_DYNAMIC_PAGE_DECLARATIVE_REDIRECT
+          : EMPTY_DYNAMIC_PAGE_HTML_HINT,
         isError: true,
       };
     }
@@ -59,6 +61,14 @@ function proxyExecute(toolName: string) {
       };
     }
 
+    if (toolName === "ui_update" && isEmptyUpdate(input)) {
+      return {
+        content:
+          'Error: ui_update received an empty `data` payload, so the surface was unchanged — the user still sees its previous state. The provided data is merged into the surface\'s current data, and merging nothing is a no-op. To advance a task_progress card, send the full step list: ui_update { surface_id: "<id>", data: { templateData: { steps: [{ label: "<step>", status: "completed" }, { label: "<step>", status: "in_progress" }] } } }. Resend ui_update with the fields you intend to change under `data`.',
+        isError: true,
+      };
+    }
+
     if (!context.proxyToolResolver) {
       return {
         content: `No proxy resolver configured for proxy tool "${toolName}". This tool requires an external resolver (e.g. a connected macOS client).`,
@@ -81,6 +91,27 @@ function proxyExecute(toolName: string) {
   };
 }
 
+/**
+ * Rejection envelope for an empty `dynamic_page` ui_show from a capable model:
+ * the surface carried no `data.html`, so it would render as a blank box. These
+ * models reliably author HTML, so the fix is simply to resend it inline.
+ */
+const EMPTY_DYNAMIC_PAGE_HTML_HINT =
+  "Error: ui_show dynamic_page requires non-empty HTML in `data.html`. The surface was not displayed because no content was provided — the user would see a blank box. Resend ui_show with the full HTML markup in `data.html`.";
+
+/**
+ * Rejection envelope for an empty `dynamic_page` ui_show from a weak open model.
+ * Authoring full HTML inline is the generation task these models fail at (an
+ * empty `data: {}` here, or broken markup otherwise), so steering them to
+ * "resend the HTML" just repeats the failure. Most widget requests are really
+ * structured data — comparisons, results, metrics — which render reliably via a
+ * field-based surface the model populates without writing any HTML, and which
+ * cannot render blank. dynamic_page stays available for genuinely custom visual
+ * HTML.
+ */
+const EMPTY_DYNAMIC_PAGE_DECLARATIVE_REDIRECT =
+  'Error: ui_show dynamic_page was not displayed — `data.html` was empty, so the user would see a blank box. Authoring full HTML inline is error-prone; for data, comparisons, results, or metrics prefer a structured surface, which you fill with fields (no HTML) and which never renders blank. Re-show the content as one of: a `table` (ui_show { surface_type: "table", data: { columns: [{ id, label }], rows: [{ id, cells: { <columnId>: "<value>" } }] } }), a `card` ({ title, body, metadata: [{ label, value }] }), or `work_result` ({ summary, metrics: [{ label, value }] }). Only use dynamic_page when you genuinely need custom visual HTML, in which case include the complete markup in `data.html` now.';
+
 /**
  * Worked ui_update example, appended to a successful task_progress `ui_show`
  * result so the model learns the update pattern at the point of use (with the
@@ -98,6 +129,36 @@ function isTaskProgressCardShow(input: Record<string, unknown>): boolean {
   return data?.template === "task_progress";
 }
 
+/**
+ * A `ui_update` whose `data` merge would change nothing: missing, not an
+ * object, or containing only (recursively) empty objects. Merging such a
+ * payload is a silent no-op — the surface keeps its prior state while the
+ * client still reports "Surface updated" — so the model never learns its
+ * update was hollow and a live card (e.g. task_progress) appears frozen.
+ * Arrays (e.g. `templateData.steps`) and any non-empty primitive leaf count
+ * as content.
+ */
+function isEmptyUpdate(input: Record<string, unknown>): boolean {
+  const data = asRecord(input.data);
+  return data === null || !hasContent(data);
+}
+
+function hasContent(value: unknown): boolean {
+  if (value === null || value === undefined) {
+    return false;
+  }
+  if (Array.isArray(value)) {
+    return value.length > 0;
+  }
+  if (typeof value === "object") {
+    return Object.values(value).some(hasContent);
+  }
+  if (typeof value === "string") {
+    return value.trim().length > 0;
+  }
+  return true;
+}
+
 function isEmptyDynamicPage(input: Record<string, unknown>): boolean {
   if (input.surface_type !== "dynamic_page") {
     return false;
@@ -311,7 +372,7 @@ export const uiShowTool = {
 // ui_update
 // ---------------------------------------------------------------------------
 
-const uiUpdateTool = {
+export const uiUpdateTool = {
   name: "ui_update",
   description:
     "Update an existing surface's data. The provided data object is merged into the surface's current data.\n" +

package/src/tools/verification-control-plane-policy.ts

@@ -10,6 +10,8 @@
  *   /v1/channel-verification-sessions/revoke
  */
 
+import { resolveCapabilities } from "../runtime/capabilities.js";
+
 const VERIFICATION_ENDPOINT_PATHS = [
   "/v1/channel-verification-sessions",
   "/v1/channel-verification-sessions/resend",
@@ -128,7 +130,7 @@ export function enforceVerificationControlPlanePolicy(
     return { denied: false };
   }
 
-  if (trustClass === "guardian") {
+  if (resolveCapabilities(trustClass).canUseVerificationControlPlane) {
     return { denied: false };
   }
 

package/src/tools/workflows/run-workflow.test.ts

@@ -11,11 +11,9 @@ mock.module("../../util/logger.js", () => ({
 }));
 
 // ── Mutable mock state ────────────────────────────────────────────────
-// `flagEnabled` toggles the `workflows` feature flag; `configThrows`
-// simulates config not yet loaded (test-setup race). The run-manager mock
-// records the args of the last `start()` call for assertion.
+// `configThrows` simulates config not yet loaded (test-setup race). The
+// run-manager mock records the args of the last `start()` call for assertion.
 
-let flagEnabled = true;
 let configThrows = false;
 
 const realLoader = await import("../../config/loader.js");
@@ -35,13 +33,6 @@ mock.module("../../config/loader.js", () => ({
     }) as unknown as ReturnType<typeof realLoader.loadConfig>,
 }));
 
-const realFlags = await import("../../config/assistant-feature-flags.js");
-mock.module("../../config/assistant-feature-flags.js", () => ({
-  ...realFlags,
-  isAssistantFeatureFlagEnabled: (key: string) =>
-    key === "workflows" ? flagEnabled : false,
-}));
-
 // No live conversation in tests — the tool falls back to a synthetic trust
 // context built from the tool context's trustClass.
 const realRegistry = await import("../../daemon/conversation-registry.js");
@@ -92,7 +83,6 @@ function makeContext(): Parameters<typeof executeRunWorkflow>[1] {
 }
 
 beforeEach(() => {
-  flagEnabled = true;
   configThrows = false;
   startThrows = null;
   lastStartArgs = null;
@@ -105,10 +95,10 @@ beforeEach(() => {
 });
 
 describe("workflow tools are served by the workflows skill", () => {
-  // The cutover moved run_workflow / manage_workflows out of the always-on tool
-  // manifest into the flag-gated `workflows` bundled skill (loaded via
-  // skill_load, invoked via skill_execute). The skill manifest is the
-  // source of truth; assert it declares both as in-process host tools.
+  // run_workflow / manage_workflows are served by the `workflows` bundled skill
+  // (loaded via skill_load, invoked via skill_execute), not the always-on tool
+  // manifest. The skill manifest is the source of truth; assert it declares both
+  // as in-process host tools.
   test("the workflows skill TOOLS.json declares both host-executed tools", async () => {
     const { readFileSync } = await import("node:fs");
     const { join } = await import("node:path");
@@ -211,13 +201,13 @@ describe("run_workflow launch", () => {
   });
 
   test("surfaces a run-manager start error as a tool error", async () => {
-    startThrows = new Error("Workflows are not enabled.");
+    startThrows = new Error("run manager exploded");
     const res = await executeRunWorkflow(
       { script: "export const meta = {};" },
       makeContext(),
     );
     expect(res.isError).toBe(true);
-    expect(res.content).toContain("Workflows are not enabled.");
+    expect(res.content).toContain("run manager exploded");
   });
 });
 

package/src/tools/workflows/run-workflow.ts

@@ -68,6 +68,7 @@ export async function executeRunWorkflow(
       args,
       manifest,
       conversationId: context.conversationId,
+      ...(context.toolUseId ? { toolUseId: context.toolUseId } : {}),
       ...(label ? { label } : {}),
       trustContext,
     });

package/src/util/disk-usage.ts

@@ -1,7 +1,11 @@
 import { spawnSync } from "node:child_process";
 import { existsSync, statfsSync } from "node:fs";
 
-import { getMinikubeStorageSize } from "../config/env-registry.js";
+import {
+  getIsContainerized,
+  getIsPlatform,
+  getMinikubeStorageSize,
+} from "../config/env-registry.js";
 import { getWorkspaceDir } from "./platform.js";
 
 export interface DiskUsageInfo {
@@ -58,6 +62,57 @@ export function __resetDiskUsageCacheForTests(): void {
   duCachePaths = null;
 }
 
+/**
+ * How the workspace volume's capacity should be reported when statfsSync
+ * cannot see the volume directly.
+ *
+ * - `fixed-cap`: minikube hostPath PVC — the PVC request is the hard
+ *   capacity, so usage is measured with `du` and free space is whatever
+ *   remains within the quota.
+ * - `host-free`: local Docker named volume — the volume is backed by the
+ *   host (or Colima VM) filesystem and can grow into its free space, so
+ *   usage is measured with `du` and the effective capacity is current usage
+ *   plus the host's remaining headroom.
+ * - `none`: statfsSync already reports the volume accurately (bare metal, or
+ *   a platform-managed instance on a CSI-backed PVC), so use it directly.
+ */
+type WorkspaceVolumeReporting =
+  | { kind: "none" }
+  | { kind: "fixed-cap"; totalBytes: number }
+  | { kind: "host-free" };
+
+/**
+ * Decide how to report the workspace volume's capacity. Both minikube
+ * hostPath PVCs and local Docker named volumes are backed by the host
+ * filesystem, so statfsSync reports the host's entire disk rather than the
+ * workspace volume — in both cases we measure actual usage with `du` instead.
+ */
+function classifyWorkspaceVolume(
+  fsTotalBytes: number,
+): WorkspaceVolumeReporting {
+  // Minikube mode: the platform passes the PVC storage size so we can report
+  // accurate capacity. Detect the hostPath case by comparing filesystem size
+  // against the PVC size — if the filesystem is larger, statfsSync is seeing
+  // the host disk and we should measure the directory instead.
+  const storageSizeRaw = getMinikubeStorageSize();
+  if (storageSizeRaw) {
+    const pvcTotalBytes = parseK8sMemoryBytes(storageSizeRaw);
+    if (pvcTotalBytes !== null && fsTotalBytes > pvcTotalBytes * 1.1) {
+      return { kind: "fixed-cap", totalBytes: pvcTotalBytes };
+    }
+    return { kind: "none" };
+  }
+
+  // Local Docker hatch: the workspace is a Docker named volume backed by the
+  // host filesystem. Platform-managed remote instances run on CSI-backed PVCs
+  // where statfsSync already reports the volume, so they are excluded.
+  if (getIsContainerized() && !getIsPlatform()) {
+    return { kind: "host-free" };
+  }
+
+  return { kind: "none" };
+}
+
 export function getDiskUsageInfo(): DiskUsageInfo | null {
   try {
     const wsDir = getWorkspaceDir();
@@ -68,28 +123,28 @@ export function getDiskUsageInfo(): DiskUsageInfo | null {
     const bytesToMb = (b: number) =>
       Math.round((b / (1024 * 1024)) * 100) / 100;
 
-    // Minikube mode: the platform passes the PVC storage size so we can
-    // report accurate capacity. On hostPath-backed PVCs statfsSync reports
-    // the host's entire filesystem rather than the PVC. Detect this by
-    // comparing filesystem size against PVC size — if the filesystem is
-    // larger, measure actual directory usage with `du` instead.
-    const storageSizeRaw = getMinikubeStorageSize();
-    if (storageSizeRaw) {
-      const pvcTotalBytes = parseK8sMemoryBytes(storageSizeRaw);
-      if (pvcTotalBytes !== null && fsTotalBytes > pvcTotalBytes * 1.1) {
-        const volumePaths = [diskPath];
-        if (diskPath !== "/data" && existsSync("/data")) {
-          volumePaths.push("/data");
-        }
-        const usedBytes = getCachedDirectorySizeBytes(volumePaths);
-        if (usedBytes !== null) {
-          return {
-            path: diskPath,
-            totalMb: bytesToMb(pvcTotalBytes),
-            usedMb: bytesToMb(usedBytes),
-            freeMb: bytesToMb(Math.max(0, pvcTotalBytes - usedBytes)),
-          };
-        }
+    const reporting = classifyWorkspaceVolume(fsTotalBytes);
+    if (reporting.kind !== "none") {
+      const volumePaths = [diskPath];
+      if (diskPath !== "/data" && existsSync("/data")) {
+        volumePaths.push("/data");
+      }
+      const usedBytes = getCachedDirectorySizeBytes(volumePaths);
+      if (usedBytes !== null) {
+        const totalBytes =
+          reporting.kind === "fixed-cap"
+            ? reporting.totalBytes
+            : usedBytes + fsFreeBytes;
+        const freeBytes =
+          reporting.kind === "fixed-cap"
+            ? Math.max(0, reporting.totalBytes - usedBytes)
+            : fsFreeBytes;
+        return {
+          path: diskPath,
+          totalMb: bytesToMb(totalBytes),
+          usedMb: bytesToMb(usedBytes),
+          freeMb: bytesToMb(freeBytes),
+        };
       }
     }
 

package/src/util/platform.ts

@@ -314,7 +314,14 @@ export function getWorkspaceToolsDir(): string {
   return join(getWorkspaceDir(), "tools");
 }
 
-/** Returns $VELLUM_WORKSPACE_DIR/routes — user-defined HTTP route handlers. */
+/**
+ * Returns $VELLUM_WORKSPACE_DIR/routes — user-defined HTTP route handlers.
+ *
+ * Handler modules under this directory are dynamic-imported by the user-route
+ * dispatcher and their exported HTTP-method functions are executed on the
+ * next matching request, so the file risk classifier escalates writes under
+ * this path to High for the same reason `plugins/` and `tools/` are escalated.
+ */
 export function getWorkspaceRoutesDir(): string {
   return join(getWorkspaceDir(), "routes");
 }
@@ -402,8 +409,8 @@ export function getSkillRuntimePath(
  *
  * Resolution order:
  *
- *   1. macOS `.app` bundle: `Contents/Resources/bun` — shipped by
- *      `clients/macos/build.sh` at a version that matches `.tool-versions`.
+ *   1. macOS `.app` bundle: `Contents/Resources/bun` — bundled at a version
+ *      that matches `.tool-versions`.
  *   2. Next-to-binary: `<execDir>/bun` for Docker/generic compiled layouts
  *      that stage a bun binary alongside the daemon (PR 29 wires this up).
  *

package/src/watcher/telemetry.ts

@@ -4,8 +4,8 @@
  * ahead of the planned watcher → skills-and-schedules migration.
  *
  * Both event shapes ship through the existing lifecycle-event telemetry
- * pipeline, so they inherit its `collectUsageData` opt-out gate and need
- * no wire-contract or platform-side changes:
+ * pipeline, so they inherit its platform `share_analytics` consent gate and
+ * need no wire-contract or platform-side changes:
  *
  * - `watcher_enabled:<providerId>` — one per enabled watcher, at most
  *   once per 24h per daemon. Counts devices that have watchers

package/src/workflows/capabilities.ts

@@ -29,9 +29,8 @@
  *   (If host execution is ever wanted, the deliberate path is to thread the
  *   originating tool context through the engine — not to relax this gate.)
  *
- * This module is pure logic: it performs no feature-flag checks and no I/O
- * beyond the synchronous tool-registry lookup. The `workflows` flag gates the
- * callers, not this code.
+ * This module is pure logic: it performs no I/O beyond the synchronous
+ * tool-registry lookup.
  */
 
 import { z } from "zod";