vellum 0.2.13 → 0.2.14

package/src/schedule/recurrence-engine.ts

@@ -11,8 +11,24 @@ export interface ScheduleSpec {
 const SUPPORTED_RRULE_PREFIXES = ['DTSTART', 'RRULE:', 'RDATE', 'EXDATE', 'EXRULE'];
 
 function normalizeRruleExpression(expression: string): string {
-  // Handle escaped newlines from JSON transport
-  return expression.replace(/\\n/g, '\n').trim();
+  // Handle escaped newlines from JSON transport, then uppercase property name
+  // prefixes (before the first ';' or ':') on each line so rrulestr() receives
+  // the canonical uppercase form regardless of what the caller provided. We
+  // stop at the earliest delimiter to preserve case-sensitive parameter values
+  // such as timezone names in DTSTART;TZID=America/New_York:...
+  return expression
+    .replace(/\\n/g, '\n')
+    .trim()
+    .split(/\r?\n/)
+    .map(line => {
+      const colonIdx = line.indexOf(':');
+      const semiIdx = line.indexOf(';');
+      if (colonIdx === -1 && semiIdx === -1) return line;
+      // Uppercase only the property name (before the first ';' or ':')
+      const nameEnd = semiIdx !== -1 && (colonIdx === -1 || semiIdx < colonIdx) ? semiIdx : colonIdx;
+      return line.slice(0, nameEnd).toUpperCase() + line.slice(nameEnd);
+    })
+    .join('\n');
 }
 
 function parseRruleLines(expression: string): string[] {
@@ -129,6 +145,14 @@ export function computeNextRunAt(spec: ScheduleSpec, nowMs?: number): number {
       : rrulestr(normalized, { tzid });
     const next = parsed.after(new Date(now));
     if (!next) {
+      // When after() (exclusive) returns null the rule may still have a
+      // terminal occurrence that lands exactly on `now` — e.g. COUNT=1 or the
+      // final UNTIL instance.  Treat that as "due right now" so claimDueSchedules
+      // doesn't silently skip the last run.
+      const exactMatch = parsed.before(new Date(now), true);
+      if (exactMatch && exactMatch.getTime() === now) {
+        return now;
+      }
       throw new Error(`RRULE expression has no upcoming runs after ${new Date(now).toISOString()}`);
     }
     return next.getTime();

package/src/schedule/recurrence-types.ts

@@ -60,7 +60,7 @@ export function normalizeScheduleSyntax(input: {
 
   // Legacy cron_expression fallback
   if (input.legacyCronExpression) {
-    return { syntax: 'cron', expression: input.legacyCronExpression };
+    return { syntax: input.syntax ?? 'cron', expression: input.legacyCronExpression };
   }
 
   return null;

package/src/schedule/schedule-store.ts

@@ -4,8 +4,11 @@ import { Cron } from 'croner';
 import { getDb } from '../memory/db.js';
 import { scheduleJobs, scheduleRuns } from '../memory/schema.js';
 import { computeNextRunAt as computeNextRunAtEngine, isValidScheduleExpression } from './recurrence-engine.js';
+import { getLogger } from '../util/logger.js';
 import type { ScheduleSyntax } from './recurrence-types.js';
 
+const logger = getLogger('schedule-store');
+
 export interface ScheduleJob {
   id: string;
   name: string;
@@ -216,9 +219,15 @@ export function claimDueSchedules(now: number): ScheduleJob[] {
         expression: row.cronExpression,
         timezone: row.timezone,
       });
-    } catch {
-      // Finite schedule with no future runs — still claim the current due
-      // run but disable the schedule so it doesn't fire again.
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (!msg.includes('no upcoming runs')) {
+        // Log but don't abort — one bad schedule shouldn't block everything
+        logger.warn({ err, scheduleId: row.id }, 'Failed to compute next run for schedule');
+        continue;
+      }
+      // Expired schedules fire their final pending due run then auto-disable,
+      // ensuring no due run is silently dropped.
       newNextRunAt = null;
       exhausted = true;
     }

package/src/security/secret-scanner.ts

@@ -81,6 +81,13 @@ const PATTERNS: SecretPattern[] = [
     regex: /(https:\/\/hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]+)/g,
   },
 
+  // -- Telegram --
+  {
+    type: 'Telegram Bot Token',
+    // Format: <bot_id>:<secret> where bot_id is 8-10 digits and secret is 35 alphanumeric/dash/underscore chars
+    regex: /\b([0-9]{8,10}:[A-Za-z0-9_-]{35})(?=[^A-Za-z0-9_-]|$)/g,
+  },
+
   // -- Anthropic --
   {
     type: 'Anthropic API Key',

package/src/tasks/ephemeral-permissions.ts

@@ -44,7 +44,5 @@ export function buildTaskRules(taskRunId: string, requiredTools: string[], _work
     allowHighRisk: true,
     priority: 75,
     createdAt: Date.now(),
-    principalKind: 'task',
-    principalId: taskRunId,
   }));
 }

package/src/tasks/task-scheduler.ts

@@ -1,7 +1,8 @@
 import { createSchedule } from '../schedule/schedule-store.js';
 
 /**
- * Create a recurrence schedule that runs a task on a cron or RRULE expression.
+ * Create a cron schedule that runs a task on a recurring cron expression.
+ * RRULE syntax is supported at the store layer but this helper currently defaults to cron.
  * The scheduler detects the `run_task:<taskId>` message format
  * and delegates to runTask() instead of processMessage().
  */

package/src/tools/calls/call-start.ts

@@ -24,6 +24,11 @@ const definition: ToolDefinition = {
         type: 'string',
         description: 'Additional context for the conversation',
       },
+      caller_identity_mode: {
+        type: 'string',
+        enum: ['assistant_number', 'user_number'],
+        description: 'Which phone number to use as the caller ID. assistant_number uses the AI assistant\'s Twilio number; user_number uses the user\'s verified personal number.',
+      },
     },
     required: ['phone_number', 'task'],
   },
@@ -49,6 +54,7 @@ class CallStartTool implements Tool {
       task: input.task as string,
       context: input.context as string | undefined,
       conversationId: context.conversationId,
+      callerIdentityMode: input.caller_identity_mode as 'assistant_number' | 'user_number' | undefined,
     });
 
     if (!result.ok) {
@@ -61,6 +67,8 @@ class CallStartTool implements Tool {
         `  Call Session ID: ${result.session.id}`,
         `  Call SID: ${result.callSid}`,
         `  To: ${result.session.toNumber}`,
+        `  From: ${result.session.fromNumber}`,
+        `  Caller Identity Mode: ${result.callerIdentityMode}`,
         `  Status: initiated`,
         '',
         'The AI voice assistant is now placing the call. Use call_status to check progress.',

package/src/tools/execution-target.ts

@@ -0,0 +1,21 @@
+import type { ExecutionTarget } from './types.js';
+import { getTool } from './registry.js';
+
+export function resolveExecutionTarget(toolName: string): ExecutionTarget {
+  const tool = getTool(toolName);
+  // Manifest-declared execution target is authoritative — check it first so
+  // skill tools with host_/computer_use_ prefixes aren't mis-classified.
+  if (tool?.executionTarget) {
+    return tool.executionTarget;
+  }
+  // Check the tool's executionMode metadata — proxy tools run on the connected
+  // client (host), not inside the sandbox.
+  if (tool?.executionMode === 'proxy') {
+    return 'host';
+  }
+  // Prefix heuristics for core tools that don't declare an explicit target.
+  if (toolName.startsWith('host_') || toolName.startsWith('computer_use_')) {
+    return 'host';
+  }
+  return 'sandbox';
+}

package/src/tools/execution-timeout.ts

@@ -0,0 +1,49 @@
+import type { ToolExecutionResult } from './types.js';
+
+const TIMEOUT_SENTINEL = Symbol('tool-timeout');
+
+export const DEFAULT_TOOL_TIMEOUT_SEC = 120;
+
+/**
+ * Convert a config-provided seconds value to a safe milliseconds value,
+ * falling back to the default if the input is NaN, non-finite, zero, or negative.
+ */
+export function safeTimeoutMs(sec: unknown): number {
+  const n = Number(sec);
+  if (!Number.isFinite(n) || n <= 0) {
+    return DEFAULT_TOOL_TIMEOUT_SEC * 1000;
+  }
+  return n * 1000;
+}
+
+/**
+ * Race a tool execution promise against a timeout. Returns a timeout error
+ * result instead of throwing so the agent loop can continue gracefully.
+ */
+export async function executeWithTimeout(
+  promise: Promise<ToolExecutionResult>,
+  timeoutMs: number,
+  toolName: string,
+): Promise<ToolExecutionResult> {
+  // Guard against NaN/invalid values that would cause setTimeout to fire immediately
+  const safeMs = Number.isFinite(timeoutMs) && timeoutMs > 0
+    ? timeoutMs
+    : DEFAULT_TOOL_TIMEOUT_SEC * 1000;
+  let timeoutHandle: ReturnType<typeof setTimeout>;
+  const timeoutPromise = new Promise<typeof TIMEOUT_SENTINEL>((resolve) => {
+    timeoutHandle = setTimeout(() => resolve(TIMEOUT_SENTINEL), safeMs);
+  });
+  try {
+    const result = await Promise.race([promise, timeoutPromise]);
+    if (result === TIMEOUT_SENTINEL) {
+      const sec = Math.round(safeMs / 1000);
+      return {
+        content: `Tool "${toolName}" timed out after ${sec}s. The operation may still be running in the background. Consider increasing timeouts.toolExecutionTimeoutSec in the config.`,
+        isError: true,
+      };
+    }
+    return result;
+  } finally {
+    clearTimeout(timeoutHandle!);
+  }
+}

package/src/tools/executor.ts

@@ -1,8 +1,7 @@
 import { readFileSync, existsSync, statSync } from 'node:fs';
 import { getTool, getAllTools } from './registry.js';
-import type { ExecutionTarget, Tool, ToolContext, ToolExecutionResult, ToolLifecycleEvent } from './types.js';
+import type { ToolContext, ToolExecutionResult, ToolLifecycleEvent } from './types.js';
 import { RiskLevel } from '../permissions/types.js';
-import type { PolicyContext } from '../permissions/types.js';
 import { check, classifyRisk, generateAllowlistOptions, generateScopeOptions } from '../permissions/checker.js';
 import { addRule } from '../permissions/trust-store.js';
 import { PermissionPrompter } from '../permissions/prompter.js';
@@ -18,6 +17,9 @@ import { scanText, redactSecrets } from '../security/secret-scanner.js';
 import { redactSensitiveFields } from '../security/redaction.js';
 import { getHookManager } from '../hooks/manager.js';
 import { getTaskRunRules } from '../tasks/ephemeral-permissions.js';
+import { safeTimeoutMs, executeWithTimeout } from './execution-timeout.js';
+import { buildPolicyContext } from './policy-context.js';
+import { resolveExecutionTarget } from './execution-target.js';
 
 const log = getLogger('tool-executor');
 
@@ -196,7 +198,7 @@ export class ToolExecutor {
         }
 
         // Need user approval
-        const allowlistOptions = generateAllowlistOptions(name, input);
+        const allowlistOptions = await generateAllowlistOptions(name, input);
         const scopeOptions = generateScopeOptions(context.workingDir, name);
 
         // Compute preview diff for file tools so the user sees what will change
@@ -253,11 +255,6 @@ export class ToolExecutor {
           sandboxed,
           context.conversationId,
           executionTarget,
-          policyContext?.principal ? {
-            kind: policyContext.principal.kind,
-            id: policyContext.principal.id,
-            version: policyContext.principal.version,
-          } : undefined,
           persistentDecisionsAllowed,
         );
 
@@ -325,9 +322,6 @@ export class ToolExecutor {
         ) {
           const ruleOptions: {
             allowHighRisk?: boolean;
-            principalKind?: string;
-            principalId?: string;
-            principalVersion?: string;
             executionTarget?: string;
           } = {};
 
@@ -335,19 +329,6 @@ export class ToolExecutor {
             ruleOptions.allowHighRisk = true;
           }
 
-          // Capture the principal context from the tool so the saved rule
-          // is scoped to the specific skill/version that was approved.
-          if (policyContext?.principal) {
-            if (policyContext.principal.kind != null) {
-              ruleOptions.principalKind = policyContext.principal.kind;
-            }
-            if (policyContext.principal.id != null) {
-              ruleOptions.principalId = policyContext.principal.id;
-            }
-            if (policyContext.principal.version != null) {
-              ruleOptions.principalVersion = policyContext.principal.version;
-            }
-          }
           if (policyContext?.executionTarget != null) {
             ruleOptions.executionTarget = policyContext.executionTarget;
           }
@@ -393,11 +374,7 @@ export class ToolExecutor {
       const rawTimeoutSec = getConfig().timeouts.toolExecutionTimeoutSec;
       const toolTimeoutMs = safeTimeoutMs(rawTimeoutSec);
 
-      // Enrich context with principal so tools (e.g. claude_code) can
-      // forward it through sub-tool confirmation requests.
-      const execContext = policyContext?.principal
-        ? { ...context, principal: policyContext.principal }
-        : context;
+      const execContext = context;
 
       if (tool.executionMode === 'proxy') {
         if (!context.proxyToolResolver) {
@@ -589,7 +566,6 @@ export class ToolExecutor {
               undefined, // not sandboxed
               context.conversationId,
               executionTarget,
-              undefined, // no principal
               false, // no persistent decisions
             );
 
@@ -756,111 +732,6 @@ export function isSideEffectTool(toolName: string, input?: Record<string, unknow
   return false;
 }
 
-const TIMEOUT_SENTINEL = Symbol('tool-timeout');
-
-const DEFAULT_TOOL_TIMEOUT_SEC = 120;
-
-/**
- * Convert a config-provided seconds value to a safe milliseconds value,
- * falling back to the default if the input is NaN, non-finite, zero, or negative.
- */
-function safeTimeoutMs(sec: unknown): number {
-  const n = Number(sec);
-  if (!Number.isFinite(n) || n <= 0) {
-    return DEFAULT_TOOL_TIMEOUT_SEC * 1000;
-  }
-  return n * 1000;
-}
-
-/**
- * Race a tool execution promise against a timeout. Returns a timeout error
- * result instead of throwing so the agent loop can continue gracefully.
- */
-async function executeWithTimeout(
-  promise: Promise<ToolExecutionResult>,
-  timeoutMs: number,
-  toolName: string,
-): Promise<ToolExecutionResult> {
-  // Guard against NaN/invalid values that would cause setTimeout to fire immediately
-  const safeMs = Number.isFinite(timeoutMs) && timeoutMs > 0
-    ? timeoutMs
-    : DEFAULT_TOOL_TIMEOUT_SEC * 1000;
-  let timeoutHandle: ReturnType<typeof setTimeout>;
-  const timeoutPromise = new Promise<typeof TIMEOUT_SENTINEL>((resolve) => {
-    timeoutHandle = setTimeout(() => resolve(TIMEOUT_SENTINEL), safeMs);
-  });
-  try {
-    const result = await Promise.race([promise, timeoutPromise]);
-    if (result === TIMEOUT_SENTINEL) {
-      const sec = Math.round(safeMs / 1000);
-      return {
-        content: `Tool "${toolName}" timed out after ${sec}s. The operation may still be running in the background. Consider increasing timeouts.toolExecutionTimeoutSec in the config.`,
-        isError: true,
-      };
-    }
-    return result;
-  } finally {
-    clearTimeout(timeoutHandle!);
-  }
-}
-
-/**
- * Build a PolicyContext from tool metadata and execution context. Skill-origin
- * tools carry a principal identifying the owning skill. When executing within
- * a task run, ephemeral permission rules are included so pre-approved tools
- * are auto-allowed without prompting.
- */
-function buildPolicyContext(tool: Tool, context?: ToolContext): PolicyContext | undefined {
-  const ephemeralRules = context?.taskRunId
-    ? getTaskRunRules(context.taskRunId)
-    : undefined;
-
-  if (tool.origin === 'skill') {
-    return {
-      principal: {
-        kind: 'skill',
-        id: tool.ownerSkillId,
-        version: tool.ownerSkillVersionHash,
-      },
-      executionTarget: tool.executionTarget,
-      ephemeralRules: ephemeralRules?.length ? ephemeralRules : undefined,
-    };
-  }
-
-  // For non-skill tools in a task run, create a context with task principal
-  // and ephemeral rules so pre-approved tools are honored.
-  if (context?.taskRunId && ephemeralRules?.length) {
-    return {
-      principal: {
-        kind: 'task',
-        id: context.taskRunId,
-      },
-      ephemeralRules,
-    };
-  }
-
-  return undefined;
-}
-
-function resolveExecutionTarget(toolName: string): ExecutionTarget {
-  const tool = getTool(toolName);
-  // Manifest-declared execution target is authoritative — check it first so
-  // skill tools with host_/computer_use_ prefixes aren't mis-classified.
-  if (tool?.executionTarget) {
-    return tool.executionTarget;
-  }
-  // Check the tool's executionMode metadata — proxy tools run on the connected
-  // client (host), not inside the sandbox.
-  if (tool?.executionMode === 'proxy') {
-    return 'host';
-  }
-  // Prefix heuristics for core tools that don't declare an explicit target.
-  if (toolName.startsWith('host_') || toolName.startsWith('computer_use_')) {
-    return 'host';
-  }
-  return 'sandbox';
-}
-
 /**
  * Sanitize tool inputs before they are emitted in lifecycle events and hooks.
  * Applies recursive field-level redaction for known-sensitive keys.

package/src/tools/network/web-search.ts

@@ -5,31 +5,12 @@ import { registerTool } from '../registry.js';
 import { getConfig } from '../../config/loader.js';
 import { getSecureKey } from '../../security/secure-keys.js';
 import { getLogger } from '../../util/logger.js';
+import { getHttpRetryDelay, sleep, DEFAULT_MAX_RETRIES, DEFAULT_BASE_DELAY_MS } from '../../util/retry.js';
 
 const log = getLogger('web-search');
 
 const BRAVE_API_URL = 'https://api.search.brave.com/res/v1/web/search';
 const PERPLEXITY_API_URL = 'https://api.perplexity.ai/chat/completions';
-const RATE_LIMIT_MAX_RETRIES = 3;
-const RATE_LIMIT_BASE_DELAY_MS = 1000;
-
-/**
- * Parse a Retry-After header value into milliseconds.
- * RFC 7231 allows either delta-seconds (e.g. "120") or an HTTP-date
- * (e.g. "Tue, 17 Feb 2026 12:00:00 GMT"). Returns undefined if unparseable.
- */
-function parseRetryAfterMs(value: string): number | undefined {
-  const seconds = Number(value);
-  if (!isNaN(seconds)) {
-    return seconds * 1000;
-  }
-  // Try HTTP-date format — Date.parse handles RFC 2822 / IMF-fixdate
-  const dateMs = Date.parse(value);
-  if (!isNaN(dateMs)) {
-    return Math.max(0, dateMs - Date.now());
-  }
-  return undefined;
-}
 
 type WebSearchProvider = 'perplexity' | 'brave';
 
@@ -148,7 +129,7 @@ async function executeBraveSearch(
 
   const url = `${BRAVE_API_URL}?${params.toString()}`;
 
-  for (let attempt = 0; attempt <= RATE_LIMIT_MAX_RETRIES; attempt++) {
+  for (let attempt = 0; attempt <= DEFAULT_MAX_RETRIES; attempt++) {
     const response = await fetch(url, {
       headers: {
         'Accept': 'application/json',
@@ -169,12 +150,10 @@ async function executeBraveSearch(
       return { content: 'Error: Invalid or expired Brave Search API key', isError: true };
     }
 
-    if (response.status === 429 && attempt < RATE_LIMIT_MAX_RETRIES) {
-      const retryAfter = response.headers.get('retry-after');
-      const parsed = retryAfter ? parseRetryAfterMs(retryAfter) : undefined;
-      const delayMs = parsed ?? RATE_LIMIT_BASE_DELAY_MS * Math.pow(2, attempt);
+    if (response.status === 429 && attempt < DEFAULT_MAX_RETRIES) {
+      const delayMs = getHttpRetryDelay(response, attempt, DEFAULT_BASE_DELAY_MS);
       log.warn({ attempt: attempt + 1, delayMs }, 'Brave Search rate limited, retrying');
-      await new Promise(resolve => setTimeout(resolve, delayMs));
+      await sleep(delayMs);
       continue;
     }
 
@@ -192,7 +171,7 @@ async function executePerplexitySearch(
   query: string,
   apiKey: string,
 ): Promise<ToolExecutionResult> {
-  for (let attempt = 0; attempt <= RATE_LIMIT_MAX_RETRIES; attempt++) {
+  for (let attempt = 0; attempt <= DEFAULT_MAX_RETRIES; attempt++) {
     const response = await fetch(PERPLEXITY_API_URL, {
       method: 'POST',
       headers: {
@@ -218,12 +197,10 @@ async function executePerplexitySearch(
       return { content: 'Error: Invalid or expired Perplexity API key', isError: true };
     }
 
-    if (response.status === 429 && attempt < RATE_LIMIT_MAX_RETRIES) {
-      const retryAfter = response.headers.get('retry-after');
-      const parsed = retryAfter ? parseRetryAfterMs(retryAfter) : undefined;
-      const delayMs = parsed ?? RATE_LIMIT_BASE_DELAY_MS * Math.pow(2, attempt);
+    if (response.status === 429 && attempt < DEFAULT_MAX_RETRIES) {
+      const delayMs = getHttpRetryDelay(response, attempt, DEFAULT_BASE_DELAY_MS);
       log.warn({ attempt: attempt + 1, delayMs }, 'Perplexity rate limited, retrying');
-      await new Promise(resolve => setTimeout(resolve, delayMs));
+      await sleep(delayMs);
       continue;
     }
 

package/src/tools/policy-context.ts

@@ -0,0 +1,29 @@
+import type { PolicyContext } from '../permissions/types.js';
+import type { Tool, ToolContext } from './types.js';
+import { getTaskRunRules } from '../tasks/ephemeral-permissions.js';
+
+/**
+ * Build a PolicyContext from tool metadata and execution context.
+ * When executing within a task run, ephemeral permission rules are
+ * included so pre-approved tools are auto-allowed without prompting.
+ */
+export function buildPolicyContext(tool: Tool, context?: ToolContext): PolicyContext | undefined {
+  const ephemeralRules = context?.taskRunId
+    ? getTaskRunRules(context.taskRunId)
+    : undefined;
+
+  if (tool.origin === 'skill') {
+    return {
+      executionTarget: tool.executionTarget,
+      ephemeralRules: ephemeralRules?.length ? ephemeralRules : undefined,
+    };
+  }
+
+  if (context?.taskRunId && ephemeralRules?.length) {
+    return {
+      ephemeralRules,
+    };
+  }
+
+  return undefined;
+}

package/src/tools/schedule/update.ts

@@ -1,6 +1,6 @@
 import type { ToolContext, ToolExecutionResult } from '../types.js';
 import { updateSchedule, formatLocalDate, describeCronExpression } from '../../schedule/schedule-store.js';
-import { normalizeScheduleSyntax, type ScheduleSyntax } from '../../schedule/recurrence-types.js';
+import { normalizeScheduleSyntax, detectScheduleSyntax, type ScheduleSyntax } from '../../schedule/recurrence-types.js';
 import { validateRruleSetLines } from '../../schedule/recurrence-engine.js';
 
 export async function executeScheduleUpdate(
@@ -31,9 +31,16 @@ export async function executeScheduleUpdate(
       updates.expression = resolved.expression;
     } else if (input.expression !== undefined) {
       updates.expression = input.expression;
+      const detected = detectScheduleSyntax(input.expression as string);
+      if (detected) updates.syntax = detected;
     } else if (input.cron_expression !== undefined) {
       updates.cronExpression = input.cron_expression;
     }
+    // When only syntax is provided (no expression), normalizeScheduleSyntax returns null
+    // but we still need to persist the explicit syntax value.
+    if (input.syntax !== undefined && updates.syntax === undefined) {
+      updates.syntax = input.syntax;
+    }
   }
 
   if (Object.keys(updates).length === 0) {

package/src/tools/terminal/parser.ts

@@ -3,6 +3,7 @@ import { readFileSync, existsSync } from 'node:fs';
 import { createHash } from 'node:crypto';
 import { getLogger } from '../../util/logger.js';
 import { IntegrityError } from '../../util/errors.js';
+import { PromiseGuard } from '../../util/promise-guard.js';
 import { Parser, Language, type Node as TSNode } from 'web-tree-sitter';
 
 const log = getLogger('shell-parser');
@@ -73,7 +74,7 @@ function verifyWasmChecksum(filePath: string, label: string): void {
 }
 
 let parserInstance: Parser | null = null;
-let initPromise: Promise<void> | null = null;
+const initGuard = new PromiseGuard<void>();
 
 /**
  * Locate a WASM file from a dependency package.
@@ -105,27 +106,24 @@ function findWasmPath(pkg: string, file: string): string {
 async function ensureParser(): Promise<Parser> {
   if (parserInstance) return parserInstance;
 
-  if (!initPromise) {
-    initPromise = (async () => {
-      const treeSitterWasm = findWasmPath('web-tree-sitter', 'web-tree-sitter.wasm');
-      const bashWasmPath = findWasmPath('tree-sitter-bash', 'tree-sitter-bash.wasm');
+  await initGuard.run(async () => {
+    const treeSitterWasm = findWasmPath('web-tree-sitter', 'web-tree-sitter.wasm');
+    const bashWasmPath = findWasmPath('tree-sitter-bash', 'tree-sitter-bash.wasm');
 
-      verifyWasmChecksum(treeSitterWasm, 'web-tree-sitter.wasm');
-      verifyWasmChecksum(bashWasmPath, 'tree-sitter-bash.wasm');
+    verifyWasmChecksum(treeSitterWasm, 'web-tree-sitter.wasm');
+    verifyWasmChecksum(bashWasmPath, 'tree-sitter-bash.wasm');
 
-      await Parser.init({
-        locateFile: () => treeSitterWasm,
-      });
+    await Parser.init({
+      locateFile: () => treeSitterWasm,
+    });
 
-      const Bash = await Language.load(bashWasmPath);
-      const parser = new Parser();
-      parser.setLanguage(Bash);
-      parserInstance = parser;
-      log.info('Shell parser initialized (web-tree-sitter + bash, checksums verified)');
-    })();
-  }
+    const Bash = await Language.load(bashWasmPath);
+    const parser = new Parser();
+    parser.setLanguage(Bash);
+    parserInstance = parser;
+    log.info('Shell parser initialized (web-tree-sitter + bash, checksums verified)');
+  });
 
-  await initPromise;
   return parserInstance!;
 }
 

package/src/tools/types.ts

@@ -1,4 +1,4 @@
-import type { RiskLevel, AllowlistOption, ScopeOption, ToolPrincipalKind } from '../permissions/types.js';
+import type { RiskLevel, AllowlistOption, ScopeOption } from '../permissions/types.js';
 import type { ToolDefinition, ContentBlock } from '../providers/types.js';
 import type { SecretPromptResult } from '../permissions/secret-prompter.js';
 
@@ -12,12 +12,6 @@ interface ToolLifecycleEventBase {
   conversationId: string;
   requestId?: string;
   executionTarget?: ExecutionTarget;
-  /** Security principal kind (e.g. 'core', 'skill', or 'task'). */
-  principalKind?: ToolPrincipalKind;
-  /** Security principal ID (skill ID when principalKind is 'skill'; task ID when 'task'). */
-  principalId?: string;
-  /** Content-hash of the principal's source at invocation time. */
-  principalVersion?: string;
 }
 
 export interface ToolExecutionStartEvent extends ToolLifecycleEventBase {
@@ -109,16 +103,13 @@ export interface ToolContext {
   proxyToolResolver?: ProxyToolResolver;
   /** When set, only tools in this set may execute. Tools outside the set are blocked with an error. */
   allowedToolNames?: Set<string>;
-  /** Principal that owns this tool invocation (set by executor from tool metadata). */
-  principal?: { kind?: string; id?: string; version?: string };
   /** Request user confirmation for a sub-tool operation (used by claude_code tool). */
   requestConfirmation?: (req: {
     toolName: string;
     input: Record<string, unknown>;
     riskLevel: string;
     executionTarget?: ExecutionTarget;
-    /** Principal that owns the parent tool invocation. */
-    principal?: { kind?: string; id?: string; version?: string };
+    principal?: string;
   }) => Promise<{ decision: 'allow' | 'deny' }>;
   /** Prompt the user for a secret value via native SecureField UI. */
   requestSecret?: (params: {
@@ -141,6 +132,8 @@ export interface ToolContext {
   forcePromptSideEffects?: boolean;
   /** Approval callback for proxy policy decisions that require user confirmation. */
   proxyApprovalCallback?: import('./network/script-proxy/types.js').ProxyApprovalCallback;
+  /** Optional principal identifier propagated to sub-tool confirmation flows. */
+  principal?: string;
 }
 
 export interface DiffInfo {