clementine-agent 1.18.20 → 1.18.22

package/README.md

@@ -216,10 +216,27 @@ clementine login | auth              Authenticate Claude Code / OAuth providers
 clementine chat                      Interactive REPL
 clementine memory status             Index size, recent activity
 clementine memory search <q>         FTS5 search
+clementine memory model status       Local dense embedding model cache
+clementine memory model install      Pre-cache the local embedding model
 clementine memory dedup | reembed    Maintenance
 clementine brain digest              Run the brain digest pipeline
 ```
 
+Dense neural recall uses a local Transformers.js embedding model. Model
+weights are not bundled into the npm tarball; the first install caches them
+under `~/.clementine/models/`. To make repo or npm updates prefetch the model
+automatically, set this once in `~/.clementine/.env`:
+
+```
+CLEMENTINE_PREFETCH_EMBEDDINGS=1
+```
+
+You can also opt in for a single install/update command:
+
+```
+CLEMENTINE_INSTALL_EMBEDDINGS=1 npm install -g clementine-agent
+```
+
 **Projects & agents**
 ```
 clementine projects list | add <p> | remove <p>

package/dist/agent/action-enforcer.d.ts

@@ -0,0 +1,29 @@
+export type ActionExpectationSource = 'approval_followup' | 'user_request' | 'diagnostic_request' | 'none';
+export interface ActionExpectation {
+    expected: boolean;
+    source: ActionExpectationSource;
+    reason: string;
+}
+export interface ActionResponseAssessment {
+    violation: boolean;
+    reason: string;
+}
+export declare function detectActionExpectation(userText: string, opts?: {
+    approvalFollowup?: boolean;
+}): ActionExpectation;
+export declare function buildApprovalFollowupPrompt(reply: string): string;
+export declare function assessActionResponse(input: {
+    actionExpectation: ActionExpectation;
+    userText: string;
+    response: string;
+    toolActivityCount: number;
+    backgroundStarted?: boolean;
+    delegated?: boolean;
+}): ActionResponseAssessment;
+export declare function buildActionEnforcementPrompt(input: {
+    userText: string;
+    previousResponse: string;
+    reason: string;
+}): string;
+export declare function fallbackUnverifiedActionResponse(reason: string): string;
+//# sourceMappingURL=action-enforcer.d.ts.map

package/dist/agent/action-enforcer.js

@@ -0,0 +1,120 @@
+import { looksLikeApprovalPrompt } from './local-turn.js';
+function normalize(text) {
+    return text.trim().toLowerCase().replace(/\s+/g, ' ');
+}
+const ACTION_REQUEST_RE = /\b(can you|could you|would you|please|pls|i need you to|i want you to|let'?s|go ahead and|do it|handle this|take care of)\b[\s\S]{0,160}\b(send|email|message|post|publish|delete|change|update|run|execute|check|look(?:\s+into)?|diagnose|investigate|figure(?:\s+it)?\s*out|find|search|read|write|create|fix|schedule|reschedule|pull|fetch|review|tag|save|upload|download)\b/i;
+const DIRECT_ACTION_RE = /^(send|email|message|post|publish|delete|change|update|run|execute|check|look(?:\s+into)?|diagnose|investigate|find|search|read|write|create|fix|schedule|reschedule|pull|fetch|review|tag|save|upload|download)\b/i;
+const DIAGNOSTIC_RE = /\b(log|logs|crash|crashing|error|failing|failure|broken|diagnose|debug|investigate|look into|figure it out|what'?s causing|why is|why did)\b/i;
+const DONE_CLAIM_RE = /\b(done|sent|emailed|queued|accepted|completed|finished|fixed|updated|changed|deleted|posted|published|scheduled|rescheduled|created|saved|uploaded|downloaded|tagged|checked|reviewed|found|read|ran|executed)\b/i;
+const PROMISE_RE = /\b(i'?ll|i will|i am going to|i'?m going to|let me|i'?m checking|i'?m sending|i'?m running|i'?m looking|working on it|on it)\b[\s\S]{0,120}\b(send|email|message|post|publish|delete|change|update|run|execute|check|look|diagnose|investigate|find|search|read|write|create|fix|schedule|reschedule|pull|fetch|review|tag|save|upload|download|now)\b/i;
+const VACUOUS_ACK_RE = /^(got it|okay|ok|sure|perfect|sounds good|on it|will do|yep|yeah)[.! ]*$/i;
+const BLOCKED_OR_ASKING_RE = /\b(i can'?t|i cannot|unable to|blocked|need you to|need a|need the|please provide|please send|can you send|can you share|which|what should|who should|before i|confirm|approve|good to go|okay to)\b/i;
+const DIAGNOSTIC_DEFLECTION_RE = /\b(what are you seeing|what do you see|send (me )?the logs|share (the )?logs|provide (the )?logs|can you paste|can you send me)\b/i;
+export function detectActionExpectation(userText, opts = {}) {
+    if (opts.approvalFollowup) {
+        return {
+            expected: true,
+            source: 'approval_followup',
+            reason: 'user approved the previous action prompt',
+        };
+    }
+    const text = userText.trim();
+    if (!text)
+        return { expected: false, source: 'none', reason: 'empty message' };
+    if (ACTION_REQUEST_RE.test(text) || DIRECT_ACTION_RE.test(text)) {
+        const diagnostic = DIAGNOSTIC_RE.test(text);
+        return {
+            expected: true,
+            source: diagnostic ? 'diagnostic_request' : 'user_request',
+            reason: diagnostic ? 'user asked for local/tool-backed diagnosis' : 'user asked Clementine to take an action',
+        };
+    }
+    if (DIAGNOSTIC_RE.test(text) && /\b(can you|could you|please|figure|diagnose|debug|look)\b/i.test(text)) {
+        return {
+            expected: true,
+            source: 'diagnostic_request',
+            reason: 'user asked for local/tool-backed diagnosis',
+        };
+    }
+    return { expected: false, source: 'none', reason: 'no concrete action requested' };
+}
+export function buildApprovalFollowupPrompt(reply) {
+    return [
+        `[Approval reply: "${reply.trim().slice(0, 120)}"]`,
+        'The user approved the action you proposed in your previous message.',
+        'Continue from that previous approval prompt and perform the approved action now using the appropriate tool.',
+        'Do not treat this as casual feedback. Do not say it is done unless a tool call verifies it. If you are blocked, say exactly what is blocking you.',
+    ].join('\n');
+}
+export function assessActionResponse(input) {
+    const { actionExpectation, userText, response, toolActivityCount } = input;
+    if (!actionExpectation.expected)
+        return { violation: false, reason: 'no action expected' };
+    if (input.backgroundStarted)
+        return { violation: false, reason: 'action was queued in background' };
+    if (input.delegated)
+        return { violation: false, reason: 'action was delegated' };
+    if (toolActivityCount > 0)
+        return { violation: false, reason: 'tool activity observed' };
+    const trimmed = response.trim();
+    if (!trimmed)
+        return { violation: true, reason: 'empty response to action request' };
+    if (looksLikeApprovalPrompt(trimmed)) {
+        if (actionExpectation.source === 'approval_followup') {
+            return { violation: true, reason: 'asked for approval again after the user already approved' };
+        }
+        return { violation: false, reason: 'assistant requested approval before acting' };
+    }
+    const lower = normalize(trimmed);
+    if (actionExpectation.source === 'diagnostic_request' && DIAGNOSTIC_DEFLECTION_RE.test(lower)) {
+        return { violation: true, reason: 'asked user for logs instead of using available local tools' };
+    }
+    if (VACUOUS_ACK_RE.test(trimmed)) {
+        return { violation: true, reason: 'acknowledged action request without acting' };
+    }
+    if (DONE_CLAIM_RE.test(trimmed)) {
+        return { violation: true, reason: 'claimed completion without tool activity' };
+    }
+    if (PROMISE_RE.test(trimmed)) {
+        return { violation: true, reason: 'promised future action without same-turn tool activity' };
+    }
+    if (BLOCKED_OR_ASKING_RE.test(lower) || trimmed.endsWith('?')) {
+        return { violation: false, reason: 'assistant asked for needed input or reported a block' };
+    }
+    // Diagnostic requests should usually use local tools. A generic answer with
+    // no tool activity is allowed only if it clearly does not claim inspection.
+    if (actionExpectation.source === 'diagnostic_request' && /\b(i think|likely|probably|sounds like)\b/i.test(trimmed)) {
+        return { violation: false, reason: 'assistant gave hypothesis without claiming inspection' };
+    }
+    // For action-shaped requests, a generic short answer is usually a stall.
+    if (trimmed.length < 80 && /\b(send|email|message|run|fix|check|diagnose|figure|look)\b/i.test(userText)) {
+        return { violation: true, reason: 'short action response without tool activity' };
+    }
+    return { violation: false, reason: 'no unsupported action claim detected' };
+}
+export function buildActionEnforcementPrompt(input) {
+    return [
+        '[SYSTEM ACTION ENFORCEMENT]',
+        'Your previous response was not allowed because it implied action without verified tool activity.',
+        `Reason: ${input.reason}`,
+        '',
+        'Original user request:',
+        input.userText.slice(0, 1200),
+        '',
+        'Previous response:',
+        input.previousResponse.slice(0, 1200),
+        '',
+        'Now correct this in the same turn:',
+        '- If the action is possible, use the appropriate tool now.',
+        '- If the action is blocked, say exactly what is blocking it.',
+        '- Do not say "done", "sent", "queued", "checked", or similar unless a tool call actually verifies it.',
+    ].join('\n');
+}
+export function fallbackUnverifiedActionResponse(reason) {
+    return [
+        "I didn't complete that yet.",
+        `I caught an action-verification issue: ${reason}.`,
+        "I won't call it done without a tool confirmation. Please resend the request and I'll retry from a clean turn.",
+    ].join(' ');
+}
+//# sourceMappingURL=action-enforcer.js.map

package/dist/agent/assistant.d.ts

@@ -11,6 +11,7 @@
  */
 import type { AgentProfile, OnTextCallback, OnToolActivityCallback, VerboseLevel } from '../types.js';
 import { AgentManager } from './agent-manager.js';
+import { type ToolsetName } from './toolsets.js';
 /**
  * Estimate token count for Claude.
  *
@@ -30,6 +31,8 @@ export declare function estimateTokens(text: string): number;
 export declare function looksLikeContextThrashText(value: unknown): boolean;
 export declare function contextThrashRecoveryNotice(): string;
 export declare function buildContextThrashRecoveryPrompt(userRequest: string, priorFailureText?: string): string;
+/** Format a millisecond duration as a human-friendly "X ago" string. */
+export declare function formatTimeAgo(ms: number): string;
 export declare function looksLikeOneMillionContextError(value: unknown): boolean;
 export declare function oneMillionContextRecoveryMessage(): string;
 export declare function looksLikeProviderApiErrorResponse(value: unknown): boolean;
@@ -147,6 +150,7 @@ export declare class PersonalAssistant {
     flushSessions(): void;
     private saveSessionsNow;
     getExchangeCount(sessionKey: string): number;
+    hasRecentApprovalPrompt(sessionKey: string): boolean;
     getMemoryChunkCount(): number;
     private buildSystemPrompt;
     private buildOptions;
@@ -178,6 +182,7 @@ export declare class PersonalAssistant {
         projectOverride?: ProjectMeta;
         verboseLevel?: VerboseLevel;
         abortController?: AbortController;
+        toolset?: ToolsetName;
     }): Promise<[string, string]>;
     /**
      * Compare retrieved chunks against the response text and record which
@@ -198,6 +203,12 @@ export declare class PersonalAssistant {
      * No LLM call — uses buildLocalSummary for instant summarization.
      */
     private compactContext;
+    compactSessionForGateway(sessionKey: string, reason?: string): {
+        compacted: boolean;
+        exchangeCount: number;
+        summary?: string;
+        reason: string;
+    };
     /**
      * Expire sessions inactive for more than 24 hours.
      * Called periodically from chat() to prevent unbounded map growth.
@@ -209,6 +220,7 @@ export declare class PersonalAssistant {
      * to avoid blocking the user's query.
      */
     private buildLocalSummary;
+    private buildStructuredCompactionSummary;
     private buildLocalSummaryFromTurns;
     /**
      * Walk a chronological list of transcript turns and pair adjacent

package/dist/agent/assistant.js

@@ -21,7 +21,7 @@ import { detectFrustrationSignals, detectRepeatedTopics } from './insight-engine
 import { DEFAULT_CHANNEL_CAPABILITIES } from '../types.js';
 import { enforceToolPermissions, getSecurityPrompt, getHeartbeatSecurityPrompt, getCronSecurityPrompt, getHeartbeatDisallowedTools, logToolUse, setProfileTier, setProfileAllowedTools, setAgentDir, setSendPolicy, setInteractionSource, logAuditJsonl, } from './hooks.js';
 import { scanner } from '../security/scanner.js';
-import { agentWorkingMemoryFile, listAllGoals } from '../tools/shared.js';
+import { agentWorkingMemoryFile, capOutput, listAllGoals } from '../tools/shared.js';
 import { AgentManager } from './agent-manager.js';
 import { extractLinks } from './link-extractor.js';
 import { StallGuard } from './stall-guard.js';
@@ -33,6 +33,8 @@ import { searchSkills as searchSkillsSync } from './skill-extractor.js';
 import { classifyIntent, getStrategyGuidance } from './intent-classifier.js';
 import { getEventLog } from './session-event-log.js';
 import { routeToolSurface, TOOL_SURFACE_HARD_LIMIT, TOOL_SURFACE_WARN_THRESHOLD } from './tool-router.js';
+import { isRestrictedToolset, toolsetAllowsLocalWrites } from './toolsets.js';
+import { looksLikeApprovalPrompt } from './local-turn.js';
 import { decideTurn } from './turn-policy.js';
 import { loadClementineJson } from '../config/clementine-json.js';
 import { isCreditBalanceError, markBackgroundCreditBlocked } from '../gateway/credit-guard.js';
@@ -294,9 +296,23 @@ const query = ((args) => {
     }
     return rawQuery(args);
 });
+function parseMemoryTimestampMs(value) {
+    const text = String(value ?? '').trim();
+    if (!text)
+        return NaN;
+    // SQLite datetime('now') returns UTC as "YYYY-MM-DD HH:mm:ss" with no zone.
+    // Parse it explicitly as UTC so summaries don't appear hours in the future.
+    if (/^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}$/.test(text)) {
+        return Date.parse(`${text.replace(' ', 'T')}Z`);
+    }
+    return Date.parse(text);
+}
 /** Format a millisecond duration as a human-friendly "X ago" string. */
-function formatTimeAgo(ms) {
-    const minutes = Math.floor(ms / 60_000);
+export function formatTimeAgo(ms) {
+    const safeMs = Number.isFinite(ms) ? Math.max(0, ms) : 0;
+    if (safeMs < 60_000)
+        return 'just now';
+    const minutes = Math.floor(safeMs / 60_000);
     if (minutes < 60)
         return `${minutes}m ago`;
     const hours = Math.floor(minutes / 60);
@@ -311,6 +327,11 @@ function formatTimeAgo(ms) {
 const CONTEXT_GUARD_MIN_TOKENS = 16_000;
 /** Warn threshold — context is getting tight. */
 const CONTEXT_GUARD_WARN_TOKENS = 32_000;
+const PENDING_CONTEXT_USER_MAX_CHARS = 1000;
+const PENDING_CONTEXT_ASSISTANT_MAX_CHARS = 3000;
+const CRON_PROGRESS_NOTES_MAX_CHARS = 2000;
+const CRON_PROGRESS_PENDING_MAX_ITEMS = 20;
+const CRON_PROGRESS_ITEM_MAX_CHARS = 300;
 /** Rotate SDK sessions before hidden resume history approaches the 200K cap. */
 const SESSION_ROTATE_INPUT_TOKENS = 140_000;
 /** Approximate context window sizes by model family. */
@@ -328,6 +349,12 @@ function getContextWindow(model) {
     }
     return 200_000; // safe default
 }
+function capContextBlock(text, maxChars) {
+    return capOutput(String(text ?? ''), maxChars);
+}
+function capContextItem(text) {
+    return capContextBlock(text, CRON_PROGRESS_ITEM_MAX_CHARS).replace(/\s+/g, ' ').trim();
+}
 function resultInputTokens(result) {
     let total = 0;
     const modelUsage = result.modelUsage;
@@ -1319,6 +1346,10 @@ export class PersonalAssistant {
     getExchangeCount(sessionKey) {
         return this.exchangeCounts.get(sessionKey) ?? 0;
     }
+    hasRecentApprovalPrompt(sessionKey) {
+        const lastAssistant = this.lastExchanges.get(sessionKey)?.at(-1)?.assistant ?? '';
+        return looksLikeApprovalPrompt(lastAssistant);
+    }
     getMemoryChunkCount() {
         if (!this.memoryStore)
             return 0;
@@ -1950,7 +1981,7 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
     }
     // ── Build SDK Options ─────────────────────────────────────────────
     async buildOptions(opts = {}) {
-        const { isHeartbeat = false, cronTier = null, maxTurns = null, model = null, enableTeams = true, retrievalContext = '', profile = null, sessionKey = null, streaming = false, isPlanStep = false, isUnleashed = false, sourceOverride, disableAllTools = false, verboseLevel, abortController, effort, maxBudgetUsd, toolScopeText, thinking, outputFormat, stallGuard, intentClassification, turnPolicy, contextRoutingText, } = opts;
+        const { isHeartbeat = false, cronTier = null, maxTurns = null, model = null, enableTeams = true, retrievalContext = '', profile = null, sessionKey = null, streaming = false, isPlanStep = false, isUnleashed = false, sourceOverride, disableAllTools = false, verboseLevel, abortController, effort, maxBudgetUsd, toolScopeText, thinking, outputFormat, stallGuard, intentClassification, turnPolicy, contextRoutingText, toolset = 'auto', } = opts;
         const isCron = cronTier !== null;
         const toolsDisabledForCall = disableAllTools || (isHeartbeat && !isCron);
         const promptScopeText = toolScopeText ?? '';
@@ -2001,7 +2032,27 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
         const safeContextToolRoute = allowContextToolRoute && !contextToolRoute.fullSurface
             ? contextToolRoute
             : emptyToolRoute();
-        const toolRoute = mergeToolRoutes(promptToolRoute, mergeToolRoutes(safeProfileToolRoute, safeContextToolRoute));
+        let toolRoute = mergeToolRoutes(promptToolRoute, mergeToolRoutes(safeProfileToolRoute, safeContextToolRoute));
+        if (toolset === 'full') {
+            toolRoute = {
+                bundles: [],
+                externalMcpServers: undefined,
+                composioToolkits: undefined,
+                inheritFullClaudeEnv: true,
+                fullSurface: true,
+                reason: 'full_surface',
+            };
+        }
+        else if (isRestrictedToolset(toolset)) {
+            toolRoute = {
+                ...toolRoute,
+                bundles: [],
+                externalMcpServers: [],
+                composioToolkits: [],
+                inheritFullClaudeEnv: false,
+                fullSurface: false,
+            };
+        }
         let allowedTools = [];
         const addAllowed = (...tools) => {
             for (const tool of tools) {
@@ -2021,9 +2072,13 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
         const memoryNeeded = autonomousToolRun
             || retrievalContext.trim().length > 0
             || (turnPolicy?.retrievalTier !== undefined && turnPolicy.retrievalTier !== 'none');
-        const localReadNeeded = taskIntent || /\b(repo|repository|code|file|files|folder|directory|path|log|logs|config|read|show|grep|diff|search)\b/i.test(promptScopeLower);
-        const localWriteNeeded = taskIntent || /\b(write|edit|fix|implement|refactor|build|test|run|npm|git|commit|push|pull|deploy|install|configure)\b/i.test(promptScopeLower);
-        const adminNeeded = toolRoute.fullSurface || /\b(self[- ]?update|restart|daemon|doctor|env|credential|integration|setup|set up|configure|npm publish|publish to npm)\b/i.test(promptScopeLower);
+        const localReadNeeded = taskIntent || toolset === 'diagnostic' || /\b(repo|repository|code|file|files|folder|directory|path|log|logs|config|read|show|grep|diff|search)\b/i.test(promptScopeLower);
+        const diagnosticCommandNeeded = toolset === 'diagnostic'
+            && /\b(run|test|npm|pnpm|yarn|node|git|logs?|tail|ps|status|diagnos(?:e|tic)|check)\b/i.test(promptScopeLower);
+        const localWriteNeeded = diagnosticCommandNeeded
+            || (toolsetAllowsLocalWrites(toolset) && (taskIntent || /\b(write|edit|fix|implement|refactor|build|test|run|npm|git|commit|push|pull|deploy|install|configure)\b/i.test(promptScopeLower)));
+        const adminNeeded = toolRoute.fullSurface
+            || (toolsetAllowsLocalWrites(toolset) && /\b(self[- ]?update|restart|daemon|doctor|env|credential|integration|setup|set up|configure|npm publish|publish to npm)\b/i.test(promptScopeLower));
         if (!toolsDisabledForCall) {
             if (toolRoute.fullSurface) {
                 addAllowed('Read', 'Write', 'Edit', 'Bash', 'Glob', 'Grep', 'WebSearch', 'WebFetch');
@@ -2032,8 +2087,12 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
             else {
                 if (localReadNeeded)
                     addAllowed('Read', 'Glob', 'Grep');
-                if (localWriteNeeded)
-                    addAllowed('Write', 'Edit', 'Bash');
+                if (localWriteNeeded) {
+                    if (toolset === 'diagnostic')
+                        addAllowed('Bash');
+                    else
+                        addAllowed('Write', 'Edit', 'Bash');
+                }
                 if (toolRoute.bundles.includes('web_research') || toolRoute.bundles.includes('docs_lookup')) {
                     addAllowed('WebSearch', 'WebFetch');
                 }
@@ -2041,7 +2100,12 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
                     addClementineTools(CLEMENTINE_CORE_TOOL_NAMES);
                     addClementineTools(CLEMENTINE_RELATIONSHIP_TOOL_NAMES);
                 }
-                if (taskIntent || intentClassification?.type === 'correction') {
+                const clementineMemoryWritesAllowed = toolset === 'auto'
+                    || toolset === 'full'
+                    || toolset === 'communications'
+                    || intentClassification?.type === 'feedback'
+                    || intentClassification?.type === 'correction';
+                if ((taskIntent || intentClassification?.type === 'correction') && clementineMemoryWritesAllowed) {
                     addClementineTools(CLEMENTINE_MEMORY_WRITE_TOOL_NAMES);
                     addClementineTools(CLEMENTINE_WORKSPACE_TOOL_NAMES);
                 }
@@ -2058,20 +2122,22 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
                     addClementineTools(CLEMENTINE_INTEGRATION_TOOL_NAMES);
                     addClementineTools(CLEMENTINE_ADMIN_TOOL_NAMES);
                 }
-                if (toolRoute.bundles.includes('email_outlook') || /\b(outlook|email|mailbox|inbox|calendar|follow-?up)\b/i.test(scopeText)) {
+                if ((toolset === 'auto' || toolset === 'full' || toolset === 'communications')
+                    && (toolRoute.bundles.includes('email_outlook') || /\b(outlook|email|mailbox|inbox|calendar|follow-?up)\b/i.test(scopeText))) {
                     addClementineTools(CLEMENTINE_COMM_TOOL_NAMES);
                 }
-                if (toolRoute.bundles.includes('github') || toolRoute.bundles.includes('browser') || toolRoute.bundles.includes('web_research')) {
+                if ((toolset === 'auto' || toolset === 'full')
+                    && (toolRoute.bundles.includes('github') || toolRoute.bundles.includes('browser') || toolRoute.bundles.includes('web_research'))) {
                     addClementineTools(CLEMENTINE_RESEARCH_TOOL_NAMES);
                 }
-                if (enableTeams) {
+                if (enableTeams && (toolset === 'auto' || toolset === 'full')) {
                     addAllowed('Task', 'Agent');
                     addClementineTools(CLEMENTINE_TEAM_TOOL_NAMES);
                     addClementineTools(CLEMENTINE_JOB_TOOL_NAMES);
                 }
             }
             // Include local user scripts/plugins for task-like or explicit full-surface turns.
-            if (taskIntent || toolRoute.fullSurface || adminNeeded) {
+            if (toolsetAllowsLocalWrites(toolset) && (taskIntent || toolRoute.fullSurface || adminNeeded)) {
                 try {
                     const toolsDir = path.join(BASE_DIR, 'tools');
                     const pluginsDir = path.join(BASE_DIR, 'plugins');
@@ -2414,6 +2480,7 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
             isolateClaudeConfig,
             inheritFullClaudeEnv: shouldInheritClaudeEnv,
             maxBudgetUsd: enforcedBudget,
+            toolset,
             isCron,
             cronTier,
             isPlanStep,
@@ -2806,6 +2873,7 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
         const projectOverride = options?.projectOverride;
         const verboseLevel = options?.verboseLevel;
         const abortController = options?.abortController;
+        const toolset = options?.toolset ?? 'auto';
         const key = sessionKey ?? undefined;
         this._lastUserMessage = text;
         let sessionRotated = false;
@@ -2906,11 +2974,14 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
             const exchanges = this.lastExchanges.get(key) ?? [];
             if (exchanges.length === 0 && this.memoryStore) {
                 try {
-                    const recentSummaries = this.memoryStore.getRecentSummaries(1);
+                    const recentSummaries = typeof this.memoryStore.getRecentSummariesForSession === 'function'
+                        ? this.memoryStore.getRecentSummariesForSession(key, 1)
+                        : this.memoryStore.getRecentSummaries(5).filter((s) => s.sessionKey === key).slice(0, 1);
                     if (recentSummaries.length > 0) {
                         const last = recentSummaries[0];
-                        const ageMs = Date.now() - new Date(last.createdAt).getTime();
-                        if (ageMs < 7 * 24 * 60 * 60 * 1000) { // within 7 days
+                        const createdAtMs = parseMemoryTimestampMs(last.createdAt);
+                        const ageMs = Date.now() - createdAtMs;
+                        if (Number.isFinite(ageMs) && ageMs >= -5 * 60_000 && ageMs < 7 * 24 * 60 * 60 * 1000) { // within 7 days
                             const ago = formatTimeAgo(ageMs);
                             effectivePrompt =
                                 `[Last conversation (${ago}):\n${last.summary.slice(0, 600)}]\n\n` +
@@ -2946,7 +3017,9 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
             if (allPending.length > 0) {
                 const contextLines = [];
                 for (const ctx of allPending) {
-                    contextLines.push(`[${ctx.user}]\n${ctx.assistant}`);
+                    const user = capContextBlock(ctx.user, PENDING_CONTEXT_USER_MAX_CHARS);
+                    const assistant = capContextBlock(ctx.assistant, PENDING_CONTEXT_ASSISTANT_MAX_CHARS);
+                    contextLines.push(`[${user}]\n${assistant}`);
                 }
                 effectivePrompt =
                     `[Since we last talked, you did some background work. Naturally mention what happened — lead with anything that needs attention, briefly note routine completions. Don't dump raw tool calls or list job names. Be conversational.\nBackground:\n${contextLines.join('\n\n')}]\n\n${effectivePrompt}`;
@@ -2975,7 +3048,7 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
         const effectiveMaxTurns = maxTurns ?? turnPolicy.maxTurns;
         const CHAT_TIMEOUT_MS = 30 * 60 * 1000;
         const guard = new StallGuard();
-        let [responseText, sessionId] = await this.runQuery(effectivePrompt, key, onText, model, profile, securityAnnotation, effectiveMaxTurns, projectOverride, onToolActivity, verboseLevel, abortController, guard, CHAT_TIMEOUT_MS, intent, turnPolicy);
+        let [responseText, sessionId] = await this.runQuery(effectivePrompt, key, onText, model, profile, securityAnnotation, effectiveMaxTurns, projectOverride, onToolActivity, verboseLevel, abortController, guard, CHAT_TIMEOUT_MS, intent, turnPolicy, toolset);
         // If we got a context-length / prompt-too-long error, retry with a fresh session
         const errLower = responseText.toLowerCase();
         const isContextOverflow = errLower.includes('prompt is too long') ||
@@ -2996,7 +3069,7 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
                         `If this task involves pulling data for multiple entities, delegate each to a sub-agent using the Agent tool ` +
                         `instead of calling data-heavy tools directly.\n\n${text}`;
             }
-            [responseText, sessionId] = await this.runQuery(retryPrompt, key, onText, model, profile, securityAnnotation, maxTurns, undefined, onToolActivity, verboseLevel, abortController, undefined, CHAT_TIMEOUT_MS, intent, turnPolicy);
+            [responseText, sessionId] = await this.runQuery(retryPrompt, key, onText, model, profile, securityAnnotation, maxTurns, undefined, onToolActivity, verboseLevel, abortController, undefined, CHAT_TIMEOUT_MS, intent, turnPolicy, toolset);
         }
         // Track exchange count, timestamp, and last exchange.
         // Never store API error responses — they poison session history and create
@@ -3090,7 +3163,7 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
     // ── Run Query ─────────────────────────────────────────────────────
     static RATE_LIMIT_MAX_RETRIES = 3;
     static RATE_LIMIT_BACKOFF = [5000, 15000, 30000];
-    async runQuery(prompt, sessionKey, onText, model, profile, securityAnnotation, maxTurnsOverride, projectOverride, onToolActivity, verboseLevel, abortController, stallGuard, timeoutMs, intentClassification, turnPolicy) {
+    async runQuery(prompt, sessionKey, onText, model, profile, securityAnnotation, maxTurnsOverride, projectOverride, onToolActivity, verboseLevel, abortController, stallGuard, timeoutMs, intentClassification, turnPolicy, toolset = 'auto') {
         // Parallelize context retrieval and project matching — they're independent
         // If a project override is set, skip auto-matching entirely
         const hasActiveSession = !!(sessionKey && this.sessions.has(sessionKey));
@@ -3197,6 +3270,7 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
                     intentClassification,
                     turnPolicy: effectiveTurnPolicy,
                     effort: effectiveTurnPolicy?.effort ?? intentClassification?.suggestedEffort,
+                    toolset,
                     // Route destructive/admin/local write decisions from the direct user
                     // request only. Retrieved memory may still contribute integration
                     // continuity via contextRoutingText, but stale memories should not
@@ -3981,18 +4055,20 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
      *
      * No LLM call — uses buildLocalSummary for instant summarization.
      */
-    compactContext(sessionKey) {
-        const summary = this.buildLocalSummary(sessionKey);
+    compactContext(sessionKey, reason = 'context_guard') {
+        const summary = this.buildStructuredCompactionSummary(sessionKey);
         if (!summary)
-            return;
+            return null;
         // Build compaction block for working memory
         const exchangeCount = this.exchangeCounts.get(sessionKey) ?? 0;
+        const parentSessionId = this.sessions.get(sessionKey) ?? null;
         const COMPACTION_START = '<!-- COMPACTION_START -->';
         const COMPACTION_END = '<!-- COMPACTION_END -->';
         const compactionBlock = [
             COMPACTION_START,
             `## Session Compaction (auto-generated)`,
             `Session ${sessionKey} compacted at ${exchangeCount} exchanges.`,
+            `Reason: ${reason}.`,
             ``,
             summary,
             ``,
@@ -4030,6 +4106,20 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
         catch {
             // If working memory write fails, still rotate — better than hitting the hard limit
         }
+        try {
+            this.memoryStore?.saveSessionSummary?.(sessionKey, summary, exchangeCount);
+            this.memoryStore?.recordSessionLineage?.({
+                sessionKey,
+                parentSessionId,
+                childSessionId: null,
+                reason,
+                summary,
+                exchangeCount,
+            });
+        }
+        catch {
+            // Durable lineage is helpful, not required for compaction safety.
+        }
         // Rotate session — clear the session ID so next query starts fresh
         // The working memory summary will provide continuity
         this.sessions.delete(sessionKey);
@@ -4038,6 +4128,14 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
         this.sessionTimestamps.delete(sessionKey);
         this.stallNudges.delete(sessionKey);
         this.saveSessions();
+        return summary;
+    }
+    compactSessionForGateway(sessionKey, reason = 'gateway_preflight') {
+        const exchangeCount = this.exchangeCounts.get(sessionKey) ?? 0;
+        const summary = this.compactContext(sessionKey, reason);
+        return summary
+            ? { compacted: true, exchangeCount, summary, reason }
+            : { compacted: false, exchangeCount, reason };
     }
     /**
      * Expire sessions inactive for more than 24 hours.
@@ -4059,7 +4157,39 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
      * to avoid blocking the user's query.
      */
     buildLocalSummary(sessionKey) {
-        return this.buildLocalSummaryFromTurns(this.lastExchanges.get(sessionKey) ?? []);
+        let exchanges = this.lastExchanges.get(sessionKey) ?? [];
+        if (exchanges.length === 0 && this.memoryStore && typeof this.memoryStore.getTranscriptTail === 'function') {
+            try {
+                const recent = this.memoryStore.getTranscriptTail(sessionKey, 0, SESSION_EXCHANGE_HISTORY_SIZE * 2);
+                exchanges = this.pairTranscriptTurns(recent ?? []);
+            }
+            catch {
+                exchanges = [];
+            }
+        }
+        return this.buildLocalSummaryFromTurns(exchanges);
+    }
+    buildStructuredCompactionSummary(sessionKey) {
+        const exchanges = this.lastExchanges.get(sessionKey) ?? [];
+        const summary = this.buildLocalSummary(sessionKey);
+        if (!summary)
+            return '';
+        const latest = exchanges.at(-1);
+        const lastUser = latest?.user
+            ? latest.user.slice(0, 400).replace(/\s+/g, ' ')
+            : '';
+        const continuity = [
+            '- Exact details remain in transcripts; use transcript_search before relying on this handoff for names, dates, IDs, files, or sent-message status.',
+            '- Keep tool outputs bounded and prefer targeted reads over full log dumps.',
+            lastUser ? `- Last visible user request: ${lastUser}` : '',
+        ].filter(Boolean);
+        return [
+            '### Recent Conversation',
+            summary,
+            '',
+            '### Continuity Notes',
+            continuity.join('\n'),
+        ].join('\n');
     }
     buildLocalSummaryFromTurns(turns, opts) {
         if (turns.length === 0)
@@ -4971,13 +5101,17 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
                 const progress = JSON.parse(fs.readFileSync(progressFile, 'utf-8'));
                 const parts = [`## Previous Progress (run #${progress.runCount}, ${progress.lastRunAt})`];
                 if (progress.completedItems?.length > 0) {
-                    parts.push(`Completed: ${progress.completedItems.slice(-10).join(', ')}`);
+                    parts.push(`Completed: ${progress.completedItems.slice(-10).map(capContextItem).join(', ')}`);
                 }
                 if (progress.pendingItems?.length > 0) {
-                    parts.push(`Pending: ${progress.pendingItems.join(', ')}`);
+                    const pendingItems = progress.pendingItems.slice(0, CRON_PROGRESS_PENDING_MAX_ITEMS).map(capContextItem);
+                    const suffix = progress.pendingItems.length > CRON_PROGRESS_PENDING_MAX_ITEMS
+                        ? ` (${progress.pendingItems.length - CRON_PROGRESS_PENDING_MAX_ITEMS} more omitted)`
+                        : '';
+                    parts.push(`Pending: ${pendingItems.join(', ')}${suffix}`);
                 }
                 if (progress.notes) {
-                    parts.push(`Notes: ${progress.notes}`);
+                    parts.push(`Notes: ${capContextBlock(progress.notes, CRON_PROGRESS_NOTES_MAX_CHARS)}`);
                 }
                 progressContext = parts.join('\n') + '\n\n' +
                     'Continue from where you left off. Use `cron_progress_write` at the end to save what you completed and what\'s pending.\n\n';
@@ -5999,8 +6133,8 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
      * so follow-up conversation has context.
      */
     injectContext(sessionKey, userText, assistantText) {
-        const trimmedUser = userText.slice(0, INJECTED_CONTEXT_MAX_CHARS);
-        const trimmedAssistant = assistantText.slice(0, INJECTED_CONTEXT_MAX_CHARS);
+        const trimmedUser = capContextBlock(userText, INJECTED_CONTEXT_MAX_CHARS);
+        const trimmedAssistant = capContextBlock(assistantText, INJECTED_CONTEXT_MAX_CHARS);
         // Add to in-memory exchange history
         const history = this.lastExchanges.get(sessionKey) ?? [];
         history.push({ user: trimmedUser, assistant: trimmedAssistant });