vellum 0.2.13 → 0.2.14

package/src/daemon/tls-certs.ts

@@ -0,0 +1,189 @@
+import { mkdir, stat, readFile, writeFile, chmod } from 'node:fs/promises';
+import { join } from 'node:path';
+import { X509Certificate, createPrivateKey } from 'node:crypto';
+import { getRootDir } from '../util/platform.js';
+import { getLogger } from '../util/logger.js';
+
+const log = getLogger('tls-certs');
+
+const TLS_DIR = 'tls';
+const CERT_FILENAME = 'cert.pem';
+const KEY_FILENAME = 'key.pem';
+const FINGERPRINT_FILENAME = 'fingerprint';
+
+/** Returns the TLS directory path (~/.vellum/tls/). */
+export function getTlsDir(): string {
+  return join(getRootDir(), TLS_DIR);
+}
+
+/** Returns the path to the TLS certificate. */
+export function getTlsCertPath(): string {
+  return join(getTlsDir(), CERT_FILENAME);
+}
+
+/** Returns the path to the TLS private key. */
+export function getTlsKeyPath(): string {
+  return join(getTlsDir(), KEY_FILENAME);
+}
+
+/** Returns the path to the certificate fingerprint file. */
+export function getTlsFingerprintPath(): string {
+  return join(getTlsDir(), FINGERPRINT_FILENAME);
+}
+
+/**
+ * Compute the SHA-256 fingerprint of a DER-encoded certificate.
+ * Returns hex lowercase, no colons.
+ */
+function computeFingerprint(cert: X509Certificate): string {
+  // X509Certificate.fingerprint256 returns colon-separated uppercase hex.
+  // Normalize to lowercase without colons for compact storage and comparison.
+  return cert.fingerprint256.replace(/:/g, '').toLowerCase();
+}
+
+/**
+ * Check whether an existing cert+key pair is valid:
+ * - All three files exist (cert, key, fingerprint)
+ * - Cert is parseable as X509
+ * - Cert is not expired
+ * - Fingerprint file exists and matches the cert
+ * - Private key is valid and matches the certificate
+ */
+async function isExistingCertValid(): Promise<boolean> {
+  const certPath = getTlsCertPath();
+  const keyPath = getTlsKeyPath();
+  const fpPath = getTlsFingerprintPath();
+
+  // Check all three files exist
+  const [certExists, keyExists, fpExists] = await Promise.all([
+    stat(certPath).then(() => true, () => false),
+    stat(keyPath).then(() => true, () => false),
+    stat(fpPath).then(() => true, () => false),
+  ]);
+
+  if (!certExists || !keyExists || !fpExists) {
+    return false;
+  }
+
+  try {
+    const [certPem, keyPem, storedFp] = await Promise.all([
+      readFile(certPath, 'utf-8'),
+      readFile(keyPath, 'utf-8'),
+      readFile(fpPath, 'utf-8'),
+    ]);
+
+    const x509 = new X509Certificate(certPem);
+
+    // Check expiration
+    const notAfter = new Date(x509.validTo);
+    if (notAfter <= new Date()) {
+      log.info('Existing TLS certificate has expired, will regenerate');
+      return false;
+    }
+
+    // Check fingerprint matches
+    const actualFp = computeFingerprint(x509);
+    if (actualFp !== storedFp.trim()) {
+      log.info('TLS fingerprint mismatch, will regenerate');
+      return false;
+    }
+
+    // Verify the private key is valid and matches the certificate's public key.
+    // This catches corrupted key files or cert/key mismatches that would cause
+    // tls.createServer() to fail at runtime.
+    const privateKey = createPrivateKey(keyPem);
+    if (!x509.checkPrivateKey(privateKey)) {
+      log.info('TLS private key does not match certificate, will regenerate');
+      return false;
+    }
+
+    return true;
+  } catch (err) {
+    log.warn({ err }, 'Failed to validate existing TLS certificate, will regenerate');
+    return false;
+  }
+}
+
+/**
+ * Ensure a self-signed TLS certificate exists for the daemon.
+ *
+ * Stores files in `~/.vellum/tls/`:
+ * - `cert.pem` (0o644) — self-signed certificate
+ * - `key.pem` (0o600) — private key
+ * - `fingerprint` (0o644) — SHA-256 hex fingerprint (lowercase, no colons)
+ *
+ * Idempotent: skips generation if a valid cert already exists.
+ * Auto-regenerates if the cert is expired, fingerprint is missing/mismatched,
+ * or key/cert files are corrupt.
+ *
+ * Returns the cert, key (PEM strings), and fingerprint.
+ */
+export async function ensureTlsCert(): Promise<{ cert: string; key: string; fingerprint: string }> {
+  const tlsDir = getTlsDir();
+  const certPath = getTlsCertPath();
+  const keyPath = getTlsKeyPath();
+  const fpPath = getTlsFingerprintPath();
+
+  // Check if existing cert is still valid
+  if (await isExistingCertValid()) {
+    const [cert, key, fingerprint] = await Promise.all([
+      readFile(certPath, 'utf-8'),
+      readFile(keyPath, 'utf-8'),
+      readFile(fpPath, 'utf-8'),
+    ]);
+    log.info('Using existing TLS certificate');
+    return { cert, key, fingerprint: fingerprint.trim() };
+  }
+
+  // Generate new cert
+  log.info('Generating new self-signed TLS certificate');
+  await mkdir(tlsDir, { recursive: true });
+
+  // Generate RSA 2048 key
+  const keyProc = Bun.spawn(
+    ['openssl', 'genrsa', '-out', keyPath, '2048'],
+    { stdout: 'pipe', stderr: 'pipe' },
+  );
+  const keyExit = await keyProc.exited;
+  if (keyExit !== 0) {
+    const stderr = await new Response(keyProc.stderr).text();
+    throw new Error(`Failed to generate TLS key: ${stderr}`);
+  }
+
+  // Generate self-signed cert (10-year validity)
+  const certProc = Bun.spawn(
+    [
+      'openssl', 'req', '-new', '-x509',
+      '-key', keyPath,
+      '-out', certPath,
+      '-days', '3650',
+      '-subj', '/CN=Vellum Daemon',
+    ],
+    { stdout: 'pipe', stderr: 'pipe' },
+  );
+  const certExit = await certProc.exited;
+  if (certExit !== 0) {
+    const stderr = await new Response(certProc.stderr).text();
+    throw new Error(`Failed to generate TLS certificate: ${stderr}`);
+  }
+
+  // Compute and write fingerprint
+  const certPem = await readFile(certPath, 'utf-8');
+  const x509 = new X509Certificate(certPem);
+  const fingerprint = computeFingerprint(x509);
+  await writeFile(fpPath, fingerprint);
+
+  // Set permissions: key is private, cert and fingerprint are readable
+  await Promise.all([
+    chmod(keyPath, 0o600),
+    chmod(certPath, 0o644),
+    chmod(fpPath, 0o644),
+  ]);
+
+  log.info({ fingerprint, certPath }, 'TLS certificate generated');
+  return {
+    cert: certPem,
+    key: await readFile(keyPath, 'utf-8'),
+    fingerprint,
+  };
+}

package/src/daemon/video-thumbnail.ts

@@ -35,11 +35,13 @@ export async function generateVideoThumbnail(dataBase64: string): Promise<string
       outputPath,
     ], { stderr: 'pipe' });
 
-    // Race against a 10s timeout to avoid hanging on slow/stuck ffmpeg
+    // Race against a 10s timeout to avoid hanging on slow/stuck ffmpeg.
+    // The timer handle is cleared via finally() so it doesn't leak when ffmpeg exits normally.
+    let timer: ReturnType<typeof setTimeout>;
     const exitCode = await Promise.race([
-      proc.exited,
+      proc.exited.finally(() => clearTimeout(timer)),
       new Promise<never>((_, reject) =>
-        setTimeout(() => { proc.kill(); reject(new Error('ffmpeg timed out')); }, 10_000)
+        timer = setTimeout(() => { proc.kill(); reject(new Error('ffmpeg timed out')); }, 10_000)
       ),
     ]);
 

package/src/hooks/manager.ts

@@ -3,6 +3,7 @@ import { discoverHooks } from './discovery.js';
 import { runHookScript } from './runner.js';
 import { getLogger, isDebug } from '../util/logger.js';
 import { getHooksDir } from '../util/platform.js';
+import { Debouncer } from '../util/debounce.js';
 import type { DiscoveredHook, HookEventName, HookEventData, HookTriggerResult } from './types.js';
 
 const log = getLogger('hooks-manager');
@@ -11,7 +12,7 @@ export class HookManager {
   private hooks: DiscoveredHook[] = [];
   private eventIndex = new Map<HookEventName, DiscoveredHook[]>();
   private watcher: FSWatcher | null = null;
-  private debounceTimer: ReturnType<typeof setTimeout> | null = null;
+  private readonly debouncer = new Debouncer(500);
 
   initialize(): void {
     this.hooks = discoverHooks();
@@ -82,12 +83,10 @@ export class HookManager {
 
     try {
       this.watcher = watch(hooksDir, { recursive: true }, (_eventType, filename) => {
-        if (this.debounceTimer) clearTimeout(this.debounceTimer);
-        this.debounceTimer = setTimeout(() => {
-          this.debounceTimer = null;
+        this.debouncer.schedule(() => {
           log.info({ filename: String(filename ?? '') }, 'Hooks directory changed, reloading');
           this.reload();
-        }, 500);
+        });
       });
       log.info({ dir: hooksDir }, 'Watching hooks directory for changes');
     } catch (err) {
@@ -96,10 +95,7 @@ export class HookManager {
   }
 
   stopWatching(): void {
-    if (this.debounceTimer) {
-      clearTimeout(this.debounceTimer);
-      this.debounceTimer = null;
-    }
+    this.debouncer.cancel();
     if (this.watcher) {
       this.watcher.close();
       this.watcher = null;

package/src/memory/app-git-service.ts

@@ -0,0 +1,295 @@
+/**
+ * Git-backed version control for user-defined apps.
+ *
+ * Initializes a git repository in the apps directory (~/.vellum/apps/) and
+ * commits after every app mutation (create, update, delete, file write/edit).
+ * Commits are fire-and-forget — they never block the caller.
+ *
+ * Also exposes query methods (history, diff, file-at-version, restore) for
+ * browsing and reverting app version history.
+ *
+ * Reuses WorkspaceGitService for all git operations (mutex, circuit breaker,
+ * lazy init, etc.).
+ */
+
+import { getWorkspaceGitService } from '../workspace/git-service.js';
+import { getAppsDir } from './app-store.js';
+import { getLogger } from '../util/logger.js';
+import { existsSync, readFileSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+
+const log = getLogger('app-git');
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+export interface AppVersion {
+  commitHash: string;
+  message: string;
+  /** Unix milliseconds */
+  timestamp: number;
+}
+
+// ---------------------------------------------------------------------------
+// Gitignore management
+// ---------------------------------------------------------------------------
+
+/**
+ * Patterns excluded from app version tracking.
+ * - *.preview — large base64 preview images
+ * - records directories — user data (form submissions), not app code
+ */
+const APP_GITIGNORE_RULES = [
+  '*.preview',
+  '*/records/',
+];
+
+/**
+ * Ensure the apps directory .gitignore contains app-specific exclusion rules.
+ * Idempotent: only appends rules that are missing.
+ */
+function ensureAppGitignoreRules(appsDir: string): void {
+  const gitignorePath = join(appsDir, '.gitignore');
+  let content = '';
+  if (existsSync(gitignorePath)) {
+    content = readFileSync(gitignorePath, 'utf-8');
+  }
+
+  const missingRules = APP_GITIGNORE_RULES.filter(rule => !content.includes(rule));
+  if (missingRules.length > 0) {
+    if (content && !content.endsWith('\n')) {
+      content += '\n';
+    }
+    content += missingRules.join('\n') + '\n';
+    writeFileSync(gitignorePath, content, 'utf-8');
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Input validation
+// ---------------------------------------------------------------------------
+
+/** Validate that a string looks like a hex commit hash (short or full). */
+function validateCommitHash(hash: string): void {
+  if (!/^[0-9a-f]{4,40}$/i.test(hash)) {
+    throw new Error(`Invalid commit hash: ${hash}`);
+  }
+}
+
+/** Validate an app ID (UUID-like, no path traversal or git pathspec chars). */
+function validateAppId(id: string): void {
+  if (!id || id.includes('/') || id.includes('\\') || id.includes('..') || id !== id.trim()) {
+    throw new Error(`Invalid app ID: ${id}`);
+  }
+  // Reject git pathspec metacharacters to prevent cross-app operations
+  if (/[*?[\]:(]/.test(id)) {
+    throw new Error(`Invalid app ID: contains git pathspec characters: ${id}`);
+  }
+}
+
+/** Validate a relative file path within an app (no traversal). */
+function validateRelativePath(path: string): void {
+  if (!path || path.includes('..') || path.startsWith('/') || path.startsWith('\\')) {
+    throw new Error(`Invalid file path: ${path}`);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Initialization & commit
+// ---------------------------------------------------------------------------
+
+/**
+ * Eagerly initialize the app git repo so that the "Initial commit" is
+ * created before any app files are written. Without this, the first
+ * mutation's files get absorbed into WorkspaceGitService's bootstrap
+ * commit and the "Create app: ..." commit ends up empty.
+ *
+ * Safe to call multiple times — ensureInitialized() is idempotent.
+ * Fire-and-forget: errors are logged but never thrown.
+ */
+export async function initAppGit(): Promise<void> {
+  try {
+    const appsDir = getAppsDir();
+    ensureAppGitignoreRules(appsDir);
+    const gitService = getWorkspaceGitService(appsDir);
+    await gitService.ensureInitialized();
+  } catch (err) {
+    log.error({ err }, 'Failed to initialize app git repo');
+  }
+}
+
+/**
+ * Commit app changes to the apps git repository.
+ *
+ * This is fire-and-forget: errors are logged but never thrown.
+ * The caller should not await the returned promise unless it needs
+ * to guarantee the commit completed (e.g. in tests).
+ */
+export async function commitAppChange(message: string): Promise<void> {
+  try {
+    const appsDir = getAppsDir();
+
+    // Re-check .gitignore rules every call in case the apps dir was
+    // recreated while the process was running.
+    ensureAppGitignoreRules(appsDir);
+
+    const gitService = getWorkspaceGitService(appsDir);
+    await gitService.commitChanges(message);
+  } catch (err) {
+    log.error({ err, message }, 'Failed to commit app change');
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Query methods
+// ---------------------------------------------------------------------------
+
+/**
+ * Get the commit history for a specific app.
+ *
+ * Scopes `git log` to files belonging to this app:
+ *   {appId}.json, {appId}/index.html, {appId}/pages/*, etc.
+ */
+export async function getAppHistory(appId: string, limit = 50): Promise<AppVersion[]> {
+  validateAppId(appId);
+  const safeLimit = Math.max(1, Math.min(Math.floor(limit) || 50, 500));
+  const appsDir = getAppsDir();
+  const gitService = getWorkspaceGitService(appsDir);
+
+  // Format: hash<TAB>unix-seconds<TAB>subject line
+  const { stdout } = await gitService.runReadOnlyGit([
+    'log',
+    `--max-count=${safeLimit}`,
+    '--format=%H\t%at\t%s',
+    '--',
+    `${appId}.json`,
+    `${appId}/`,
+  ]);
+
+  if (!stdout.trim()) return [];
+
+  return stdout.trim().split('\n').map(line => {
+    const [commitHash, epochSec, ...messageParts] = line.split('\t');
+    return {
+      commitHash,
+      message: messageParts.join('\t'),
+      timestamp: parseInt(epochSec, 10) * 1000,
+    };
+  });
+}
+
+/**
+ * Get a unified diff for a specific app between two commits.
+ * If `toCommit` is omitted, diffs against HEAD.
+ */
+export async function getAppDiff(
+  appId: string,
+  fromCommit: string,
+  toCommit?: string,
+): Promise<string> {
+  validateAppId(appId);
+  validateCommitHash(fromCommit);
+  if (toCommit) validateCommitHash(toCommit);
+
+  const appsDir = getAppsDir();
+  const gitService = getWorkspaceGitService(appsDir);
+
+  const range = toCommit ? `${fromCommit}..${toCommit}` : `${fromCommit}..HEAD`;
+  const { stdout } = await gitService.runReadOnlyGit([
+    'diff',
+    range,
+    '--',
+    `${appId}.json`,
+    `${appId}/`,
+  ]);
+
+  return stdout;
+}
+
+/**
+ * Get the contents of a file at a specific commit.
+ */
+export async function getAppFileAtVersion(
+  appId: string,
+  path: string,
+  commitHash: string,
+): Promise<string> {
+  validateAppId(appId);
+  validateRelativePath(path);
+  validateCommitHash(commitHash);
+
+  const appsDir = getAppsDir();
+  const gitService = getWorkspaceGitService(appsDir);
+
+  const { stdout } = await gitService.runReadOnlyGit([
+    'show',
+    `${commitHash}:${appId}/${path}`,
+  ]);
+
+  return stdout;
+}
+
+/**
+ * Restore an app's files to a previous version.
+ *
+ * Checks out the app's files at `commitHash`, then creates a new commit
+ * recording the restore action. Both operations run under the git mutex
+ * to prevent concurrent commits from interfering.
+ *
+ * Uses --no-overlay so files added after the target commit are removed,
+ * giving a true restore rather than a merge.
+ */
+export async function restoreAppVersion(appId: string, commitHash: string): Promise<void> {
+  validateAppId(appId);
+  validateCommitHash(commitHash);
+
+  const appsDir = getAppsDir();
+  const gitService = getWorkspaceGitService(appsDir);
+
+  await gitService.runWithMutex(async (exec) => {
+    // Checkout the app's files at the target commit.
+    // --no-overlay removes files that don't exist at the target commit.
+    await exec([
+      'checkout',
+      commitHash,
+      '--no-overlay',
+      '--',
+      `${appId}.json`,
+      `${appId}/`,
+    ]);
+
+    // Read the app name and refresh updatedAt so the restored app
+    // doesn't appear stale in recency ordering.
+    let appName = appId;
+    const jsonPath = join(appsDir, `${appId}.json`);
+    if (existsSync(jsonPath)) {
+      try {
+        const raw = readFileSync(jsonPath, 'utf-8');
+        const app = JSON.parse(raw);
+        if (app.name) appName = app.name;
+        app.updatedAt = Date.now();
+        writeFileSync(jsonPath, JSON.stringify(app, null, 2) + '\n', 'utf-8');
+      } catch {
+        // fall back to id
+      }
+    }
+
+    const shortHash = commitHash.substring(0, 7);
+
+    // Stage only this app's files and commit atomically within the same mutex lock
+    await exec(['add', '--', `${appId}.json`, `${appId}/`]);
+    await exec(['commit', '-m', `Restore app: ${appName} to ${shortHash}`, '--allow-empty']);
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Test helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * @internal Test-only: reset module state.
+ */
+export function _resetAppGitState(): void {
+  // no-op — kept for test API compatibility
+}

package/src/memory/app-store.ts

@@ -29,6 +29,7 @@ import {
   isPrebuiltHomeBaseApp,
   validatePrebuiltHomeBaseHtml,
 } from '../home-base/prebuilt-home-base-updater.js';
+import { commitAppChange } from './app-git-service.js';
 
 export interface AppDefinition {
   id: string;
@@ -210,6 +211,8 @@ export function createApp(params: {
     app.pages = params.pages;
   }
 
+  void commitAppChange(`Create app: ${params.name}`);
+
   return app;
 }
 
@@ -372,14 +375,27 @@ export function updateApp(
     updated.pages = loadedPages;
   }
 
+  const changedFields = Object.keys(updates).filter(k => updates[k as keyof typeof updates] !== undefined);
+  void commitAppChange(`Update app: ${updated.name}\n\nChanged: ${changedFields.join(', ')}`);
+
   return updated;
 }
 
 export function deleteApp(id: string): void {
   validateId(id);
   const dir = getAppsDir();
+
+  // Read app name before deleting for the commit message
+  let appName = id;
   const filePath = join(dir, `${id}.json`);
   if (existsSync(filePath)) {
+    try {
+      const raw = readFileSync(filePath, 'utf-8');
+      const app = JSON.parse(raw);
+      if (app.name) appName = app.name;
+    } catch {
+      // fall back to id
+    }
     unlinkSync(filePath);
   }
   const previewPath = join(dir, `${id}.preview`);
@@ -388,6 +404,8 @@ export function deleteApp(id: string): void {
   }
   const appDir = join(dir, id);
   rmSync(appDir, { recursive: true, force: true });
+
+  void commitAppChange(`Delete app: ${appName}`);
 }
 
 export function createAppRecord(appId: string, data: Record<string, unknown>): AppRecord {
@@ -527,6 +545,8 @@ export function writeAppFile(appId: string, path: string, content: string): void
   const dir = join(resolved, '..');
   mkdirSync(dir, { recursive: true });
   writeFileSync(resolved, content, 'utf-8');
+
+  void commitAppChange(`Write ${path} in app ${appId}`);
 }
 
 /**
@@ -549,6 +569,7 @@ export function editAppFile(
   const result = applyEdit(content, oldString, newString, replaceAll ?? false);
   if (result.ok) {
     writeFileSync(resolved, result.updatedContent, 'utf-8');
+    void commitAppChange(`Edit ${path} in app ${appId}`);
   }
   return result;
 }

package/src/memory/conflict-intent.ts

@@ -22,16 +22,30 @@ export function computeConflictRelevance(
   );
 }
 
-function tokenizeForConflictRelevance(input: string): Set<string> {
-  const tokens = input
+const NOISE_TOKENS = new Set([
+  'http', 'https', 'github', 'gitlab', 'www', 'com', 'org',
+]);
+
+// Matches full URLs (http(s)://...) and scheme-less bare domain URLs for known
+// code hosting sites (e.g. github.com/org/repo/pull/123) so embedded path
+// segments like "pull", "issue", "ticket" don't leak into relevance scoring.
+// The scheme-less branch is restricted to known hosting domains to avoid
+// stripping dotted identifiers like "index.ts/runtime".
+const URL_PATTERN = /https?:\/\/[^\s)>\]]+|(?:github|gitlab|bitbucket)\.(?:com|org|io)\/[^\s)>\]]*/gi;
+
+export function tokenizeForConflictRelevance(input: string): Set<string> {
+  const stripped = input.replace(URL_PATTERN, ' ');
+  const tokens = stripped
     .toLowerCase()
     .split(/[^a-z0-9]+/g)
     .map((token) => token.trim())
-    .filter((token) => token.length >= 4);
+    .filter((token) => token.length >= 4)
+    .filter((token) => !/^\d+$/.test(token))
+    .filter((token) => !NOISE_TOKENS.has(token));
   return new Set(tokens);
 }
 
-function overlapRatio(left: Set<string>, right: Set<string>): number {
+export function overlapRatio(left: Set<string>, right: Set<string>): number {
   if (left.size === 0 || right.size === 0) return 0;
   let overlap = 0;
   for (const token of left) {
@@ -40,6 +54,35 @@ function overlapRatio(left: Set<string>, right: Set<string>): number {
   return overlap / Math.max(left.size, right.size);
 }
 
+/**
+ * Tokenize for statement-to-statement coherence checking.
+ * Uses a lower minimum token length (>= 3) than `tokenizeForConflictRelevance`
+ * to preserve short technical terms like "vim", "css", "git", "npm", etc.
+ */
+function tokenizeForCoherence(input: string): Set<string> {
+  const stripped = input.replace(URL_PATTERN, ' ');
+  const tokens = stripped
+    .toLowerCase()
+    .split(/[^a-z0-9]+/g)
+    .map((token) => token.trim())
+    .filter((token) => token.length >= 3)
+    .filter((token) => !/^\d+$/.test(token))
+    .filter((token) => !NOISE_TOKENS.has(token));
+  return new Set(tokens);
+}
+
+/**
+ * Check whether two conflict statements have topical coherence.
+ * Returns true if the statements share at least one meaningful token.
+ * Uses a permissive tokenizer (>= 3 chars) to avoid dropping short
+ * technical terms like "vim", "css", "git", etc.
+ */
+export function areStatementsCoherent(statementA: string, statementB: string): boolean {
+  const tokensA = tokenizeForCoherence(statementA);
+  const tokensB = tokenizeForCoherence(statementB);
+  return overlapRatio(tokensA, tokensB) > 0;
+}
+
 // Action verbs that signal the user is making a deliberate choice.
 const ACTION_CUES = new Set([
   'keep', 'use', 'prefer', 'go', 'pick', 'choose', 'take', 'want', 'select',