vellum 0.2.7 → 0.2.8

package/src/__tests__/tool-executor.test.ts

@@ -1965,3 +1965,91 @@ describe('buildSanitizedEnv — baseline: credential exclusion', () => {
     }
   });
 });
+
+// ---------------------------------------------------------------------------
+// Persistent-allow lifecycle: roundtrip and auto-allow on subsequent invocation
+// ---------------------------------------------------------------------------
+
+describe('ToolExecutor persistent-allow lifecycle', () => {
+  beforeEach(() => {
+    fakeToolResult = { content: 'ok', isError: false };
+    lastCheckArgs = undefined;
+    getToolOverride = undefined;
+    checkResultOverride = undefined;
+    checkFnOverride = undefined;
+    if (addRuleSpy) { addRuleSpy.mockRestore(); addRuleSpy = undefined; }
+  });
+
+  function setupAddRuleSpy() {
+    addRuleSpy = spyOn(trustStore, 'addRule').mockImplementation(
+      (tool: string, pattern: string, scope: string, decision = 'allow', priority = 100, options?: any) => {
+        return { id: 'spy-rule-id', tool, pattern, scope, decision, priority, createdAt: Date.now(), ...options } as any;
+      },
+    );
+    return addRuleSpy;
+  }
+
+  test('persistent-allow roundtrip: always_allow saves rule and allows tool', async () => {
+    // Simulate check() returning 'prompt' so the executor asks the user
+    checkResultOverride = { decision: 'prompt', reason: 'Medium risk: requires approval' };
+    const spy = setupAddRuleSpy();
+
+    // User responds with always_allow, selecting a pattern and scope
+    const prompter = makePrompterWithDecision('always_allow', 'git *', '/tmp/project');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute('bash', { command: 'git status' }, makeContext());
+
+    // The tool should have been allowed to proceed
+    expect(result.isError).toBe(false);
+    expect(result.content).toBe('ok');
+
+    // addRule should have been called with the correct arguments
+    expect(spy).toHaveBeenCalledTimes(1);
+    const [tool, pattern, scope, decision] = spy.mock.calls[0];
+    expect(tool).toBe('bash');
+    expect(pattern).toBe('git *');
+    expect(scope).toBe('/tmp/project');
+    expect(decision).toBe('allow');
+  });
+
+  test('auto-allow on subsequent invocation: matching rule skips prompt', async () => {
+    // Simulate a previously saved rule by making check() return 'allow'
+    // with a matched rule (as findHighestPriorityRule would).
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule: git *' };
+
+    let promptCalled = false;
+    const trackingPrompter = {
+      prompt: async () => { promptCalled = true; return { decision: 'allow' as const }; },
+      resolveConfirmation: () => {},
+      updateSender: () => {},
+      dispose: () => {},
+    } as unknown as PermissionPrompter;
+
+    const executor = new ToolExecutor(trackingPrompter);
+    const result = await executor.execute('bash', { command: 'git status' }, makeContext());
+
+    // The tool should be auto-allowed
+    expect(result.isError).toBe(false);
+    expect(result.content).toBe('ok');
+
+    // The prompter should NOT have been called — the rule auto-allowed
+    expect(promptCalled).toBe(false);
+  });
+
+  test('always_allow with everywhere scope saves rule and allows tool', async () => {
+    checkResultOverride = { decision: 'prompt', reason: 'Medium risk: requires approval' };
+    const spy = setupAddRuleSpy();
+
+    const prompter = makePrompterWithDecision('always_allow', 'file_write:*', 'everywhere');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute('file_write', { path: '/tmp/test.txt', content: 'hello' }, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(spy).toHaveBeenCalledTimes(1);
+    const [tool, pattern, scope, decision] = spy.mock.calls[0];
+    expect(tool).toBe('file_write');
+    expect(pattern).toBe('file_write:*');
+    expect(scope).toBe('everywhere');
+    expect(decision).toBe('allow');
+  });
+});

package/src/__tests__/turn-commit.test.ts

@@ -487,4 +487,68 @@ describe('LLM commit message integration', () => {
 
     expect(fullMessage).toContain('Turn:');
   });
+
+  test('changed files from preStatus are passed to generator', async () => {
+    let capturedContext: { changedFiles: string[] } | undefined;
+    let capturedOptions: { changedFiles: string[] } | undefined;
+
+    const llmResult: GenerateCommitMessageResult = {
+      message: 'feat: captured context test',
+      source: 'llm',
+    };
+
+    mock.module('../workspace/provider-commit-message-generator.js', () => ({
+      getCommitMessageGenerator: () => ({
+        generateCommitMessage: async (ctx: { changedFiles: string[] }, opts: { changedFiles: string[] }) => {
+          capturedContext = ctx;
+          capturedOptions = opts;
+          return llmResult;
+        },
+      }),
+    }));
+
+    const { commitTurnChanges: commit } = await import('../workspace/turn-commit.js');
+
+    const service = new WorkspaceGitService(testDir);
+    await service.ensureInitialized();
+
+    writeFileSync(join(testDir, 'alpha.ts'), 'export const a = 1;');
+    writeFileSync(join(testDir, 'beta.ts'), 'export const b = 2;');
+
+    await commit(testDir, 'sess_files', 1);
+
+    // The generator should have received the actual file list, not empty arrays
+    expect(capturedContext).toBeDefined();
+    expect(capturedContext!.changedFiles.length).toBeGreaterThan(0);
+    expect(capturedContext!.changedFiles).toContain('alpha.ts');
+    expect(capturedContext!.changedFiles).toContain('beta.ts');
+
+    expect(capturedOptions).toBeDefined();
+    expect(capturedOptions!.changedFiles.length).toBeGreaterThan(0);
+    expect(capturedOptions!.changedFiles).toContain('alpha.ts');
+    expect(capturedOptions!.changedFiles).toContain('beta.ts');
+  });
+
+  test('clean workspace skips LLM generator call', async () => {
+    let generatorCalled = false;
+
+    mock.module('../workspace/provider-commit-message-generator.js', () => ({
+      getCommitMessageGenerator: () => ({
+        generateCommitMessage: async () => {
+          generatorCalled = true;
+          return { message: 'should not be called', source: 'llm' as const };
+        },
+      }),
+    }));
+
+    const { commitTurnChanges: commit } = await import('../workspace/turn-commit.js');
+
+    const service = new WorkspaceGitService(testDir);
+    await service.ensureInitialized();
+
+    // No file changes — workspace is clean
+    await commit(testDir, 'sess_clean', 1);
+
+    expect(generatorCalled).toBe(false);
+  });
 });

package/src/calls/twilio-config.ts

@@ -2,6 +2,7 @@ import { getSecureKey } from '../security/secure-keys.js';
 import { getLogger } from '../util/logger.js';
 import { loadConfig } from '../config/loader.js';
 import { getWebhookBaseUrl } from './twilio-webhook-urls.js';
+import { getTwilioRelayUrl } from '../inbound/public-ingress-urls.js';
 
 const log = getLogger('twilio-config');
 
@@ -19,7 +20,22 @@ export function getTwilioConfig(): TwilioConfig {
   const phoneNumber = process.env.TWILIO_PHONE_NUMBER || getSecureKey('credential:twilio:phone_number') || '';
   const config = loadConfig();
   const webhookBaseUrl = getWebhookBaseUrl(config);
-  const wssBaseUrl = process.env.TWILIO_WSS_BASE_URL || '';
+
+  // In gateway_only mode, ignore TWILIO_WSS_BASE_URL and always use the
+  // centralized relay URL derived from the public ingress base URL.
+  let wssBaseUrl: string;
+  if (config.ingress.mode === 'gateway_only') {
+    if (process.env.TWILIO_WSS_BASE_URL) {
+      log.warn('TWILIO_WSS_BASE_URL env var is ignored in gateway-only mode. Relay URL is derived from ingress.publicBaseUrl.');
+    }
+    try {
+      wssBaseUrl = getTwilioRelayUrl(config);
+    } catch {
+      wssBaseUrl = '';
+    }
+  } else {
+    wssBaseUrl = process.env.TWILIO_WSS_BASE_URL || '';
+  }
 
   if (!accountSid || !authToken) {
     throw new Error('Twilio credentials not configured. Set credential:twilio:account_sid and credential:twilio:auth_token via the credential_store tool.');

package/src/calls/twilio-routes.ts

@@ -22,6 +22,8 @@ import type { CallStatus } from './types.js';
 import { logDeadLetterEvent } from './call-recovery.js';
 import { isTerminalState } from './call-state-machine.js';
 import { getTwilioConfig } from './twilio-config.js';
+import { loadConfig } from '../config/loader.js';
+import { getTwilioRelayUrl } from '../inbound/public-ingress-urls.js';
 
 const log = getLogger('twilio-routes');
 
@@ -125,8 +127,14 @@ export async function handleVoiceWebhook(req: Request): Promise<Response> {
     log.info({ callSessionId, callSid }, 'Stored CallSid from voice webhook');
   }
 
-  const config = getTwilioConfig();
-  const relayUrl = resolveRelayUrl(config.wssBaseUrl, config.webhookBaseUrl);
+  const twilioConfig = getTwilioConfig();
+  let relayUrl: string;
+  try {
+    relayUrl = getTwilioRelayUrl(loadConfig());
+  } catch {
+    // Fallback to legacy resolution when ingress is not configured
+    relayUrl = resolveRelayUrl(twilioConfig.wssBaseUrl, twilioConfig.webhookBaseUrl);
+  }
   const welcomeGreeting = process.env.CALL_WELCOME_GREETING ?? 'Hello, how can I help you today?';
 
   const twiml = generateTwiML(callSessionId, relayUrl, welcomeGreeting);

package/src/calls/twilio-webhook-urls.ts

@@ -1,31 +1,24 @@
-import { getLogger } from '../util/logger.js';
+/**
+ * Twilio webhook URL helpers.
+ *
+ * This module is a thin backward-compat wrapper that delegates to the
+ * centralized URL builders in inbound/public-ingress-urls.ts.
+ */
 
-const log = getLogger('twilio-webhook-urls');
+import {
+  getPublicBaseUrl,
+  type IngressConfig,
+} from '../inbound/public-ingress-urls.js';
 
 /**
  * Resolve the webhook base URL from config, falling back to the
  * TWILIO_WEBHOOK_BASE_URL environment variable with a deprecation warning.
  * Throws if neither source provides a value.
+ *
+ * @deprecated Use `getPublicBaseUrl` from `inbound/public-ingress-urls.ts` instead.
  */
-export function getWebhookBaseUrl(config: { calls: { webhookBaseUrl?: string } }): string {
-  const configValue = config.calls.webhookBaseUrl;
-  if (configValue) {
-    const normalized = normalizeBaseUrl(configValue);
-    if (normalized) return normalized;
-  }
-
-  const envValue = process.env.TWILIO_WEBHOOK_BASE_URL;
-  if (envValue) {
-    log.warn(
-      'TWILIO_WEBHOOK_BASE_URL env var is deprecated — set calls.webhookBaseUrl in config instead.',
-    );
-    const normalized = normalizeBaseUrl(envValue);
-    if (normalized) return normalized;
-  }
-
-  throw new Error(
-    'No webhook base URL configured. Set calls.webhookBaseUrl in config or TWILIO_WEBHOOK_BASE_URL env var.',
-  );
+export function getWebhookBaseUrl(config: { calls: { webhookBaseUrl?: string }; ingress?: { publicBaseUrl?: string } }): string {
+  return getPublicBaseUrl(config as IngressConfig);
 }
 
 /**
@@ -37,6 +30,8 @@ export function normalizeBaseUrl(url: string): string {
 
 /**
  * Build the Twilio voice webhook URL for a given call session.
+ *
+ * @deprecated Use `getTwilioVoiceWebhookUrl` from `inbound/public-ingress-urls.ts` instead.
  */
 export function buildTwilioVoiceWebhookUrl(baseUrl: string, callSessionId: string): string {
   return `${normalizeBaseUrl(baseUrl)}/webhooks/twilio/voice?callSessionId=${callSessionId}`;
@@ -44,6 +39,8 @@ export function buildTwilioVoiceWebhookUrl(baseUrl: string, callSessionId: strin
 
 /**
  * Build the Twilio status callback URL.
+ *
+ * @deprecated Use `getTwilioStatusCallbackUrl` from `inbound/public-ingress-urls.ts` instead.
  */
 export function buildTwilioStatusCallbackUrl(baseUrl: string): string {
   return `${normalizeBaseUrl(baseUrl)}/webhooks/twilio/status`;

package/src/config/defaults.ts

@@ -228,4 +228,8 @@ export const DEFAULT_CONFIG: AssistantConfig = {
       denyCategories: [],
     },
   },
+  ingress: {
+    publicBaseUrl: '',
+    mode: 'compat' as const,
+  },
 };

package/src/config/schema.ts

@@ -9,6 +9,7 @@ const VALID_SANDBOX_BACKENDS = ['native', 'docker'] as const;
 const VALID_DOCKER_NETWORKS = ['none', 'bridge'] as const;
 const VALID_PERMISSIONS_MODES = ['legacy', 'strict'] as const;
 const VALID_CALL_PROVIDERS = ['twilio'] as const;
+const VALID_INGRESS_MODES = ['gateway_only', 'compat'] as const;
 
 export const TimeoutConfigSchema = z.object({
   shellMaxTimeoutSec: z
@@ -780,8 +781,19 @@ export const WorkspaceGitConfigSchema = z.object({
         .int().positive().default(2000),
       backoffMaxMs: z.number({ error: 'workspaceGit.commitMessageLLM.breaker.backoffMaxMs must be a number' })
         .int().positive().default(60000),
-    }).default({}),
-  }).default({}),
+    }).default({ openAfterFailures: 3, backoffBaseMs: 2000, backoffMaxMs: 60000 }),
+  }).default({
+    enabled: false,
+    useConfiguredProvider: true,
+    providerFastModelOverrides: {},
+    timeoutMs: 600,
+    maxTokens: 120,
+    temperature: 0.2,
+    maxFilesInPrompt: 30,
+    maxDiffBytes: 12000,
+    minRemainingTurnBudgetMs: 1000,
+    breaker: { openAfterFailures: 3, backoffBaseMs: 2000, backoffMaxMs: 60000 },
+  }),
 });
 
 export const AgentHeartbeatConfigSchema = z.object({
@@ -914,6 +926,17 @@ export const SkillsConfigSchema = z.object({
   allowBundled: z.array(z.string()).nullable().default(null),
 });
 
+export const IngressConfigSchema = z.object({
+  publicBaseUrl: z
+    .string({ error: 'ingress.publicBaseUrl must be a string' })
+    .default(''),
+  mode: z
+    .enum(VALID_INGRESS_MODES, {
+      error: `ingress.mode must be one of: ${VALID_INGRESS_MODES.join(', ')}`,
+    })
+    .default('compat'),
+});
+
 export const AssistantConfigSchema = z.object({
   provider: z
     .enum(VALID_PROVIDERS, {
@@ -1163,6 +1186,10 @@ export const AssistantConfigSchema = z.object({
       denyCategories: [],
     },
   }),
+  ingress: IngressConfigSchema.default({
+    publicBaseUrl: '',
+    mode: 'compat',
+  }),
 }).superRefine((config, ctx) => {
   if (config.contextWindow.targetInputTokens >= config.contextWindow.maxInputTokens) {
     ctx.addIssue({
@@ -1223,3 +1250,4 @@ export type WorkspaceGitConfig = z.infer<typeof WorkspaceGitConfigSchema>;
 export type CallsConfig = z.infer<typeof CallsConfigSchema>;
 export type CallsDisclosureConfig = z.infer<typeof CallsDisclosureConfigSchema>;
 export type CallsSafetyConfig = z.infer<typeof CallsSafetyConfigSchema>;
+export type IngressConfig = z.infer<typeof IngressConfigSchema>;

package/src/config/system-prompt.ts

@@ -218,7 +218,7 @@ function buildTaskScheduleReminderRoutingSection(): string {
     '',
     'You can create ad-hoc work items by providing just a `title` to `task_list_add` — no existing task template is needed. A lightweight template is auto-created behind the scenes. For reusable task definitions with templates and input schemas, use `task_save` first.',
     '',
-    '**IMPORTANT:** When you call `task_list_show`, the Tasks window opens automatically on the client. Do NOT also create a separate surface/UI (via `ui_show` or `app_create`) to display the task queue. Doing so causes duplicate Task Queue windows. Just call `task_list_show` and let the native window handle the presentation.',
+    '**IMPORTANT:** When you call `task_list_show`, the Tasks window opens automatically on the client AND the tool returns the current task list. Present a brief summary of the tasks in your chat response so the user can see them inline. Do NOT also create a separate surface/UI (via `ui_show` or `app_create`) to display the task queue — that causes duplicate windows.',
     '',
     '### Schedules (schedule_create / schedule_list / schedule_update / schedule_delete)',
     'For recurring automated jobs that run on a recurrence schedule (cron or RRULE). Use ONLY when the user explicitly wants:',

package/src/config/types.ts

@@ -34,4 +34,5 @@ export type {
   CallsConfig,
   CallsDisclosureConfig,
   CallsSafetyConfig,
+  IngressConfig,
 } from './schema.js';

package/src/daemon/computer-use-session.ts

@@ -15,6 +15,7 @@ import { AgentLoop } from '../agent/loop.js';
 import { ToolExecutor } from '../tools/executor.js';
 import { PermissionPrompter } from '../permissions/prompter.js';
 import { SecretPrompter } from '../permissions/secret-prompter.js';
+import type { UserDecision } from '../permissions/types.js';
 import { allUiSurfaceTools } from '../tools/ui-surface/definitions.js';
 import { allComputerUseTools } from '../tools/computer-use/definitions.js';
 import { registerSkillTools } from '../tools/registry.js';
@@ -893,7 +894,7 @@ export class ComputerUseSession {
 
   handleConfirmationResponse(
     requestId: string,
-    decision: 'allow' | 'always_allow' | 'deny',
+    decision: UserDecision,
     selectedPattern?: string,
     selectedScope?: string,
   ): void {

package/src/daemon/handlers/config.ts

@@ -20,6 +20,7 @@ import type {
   ShareToSlackRequest,
   SlackWebhookConfigRequest,
   TwilioWebhookConfigRequest,
+  IngressConfigRequest,
   VercelApiConfigRequest,
   TwitterIntegrationConfigRequest,
 } from '../ipc-protocol.js';
@@ -165,9 +166,9 @@ export function handleAddTrustRule(
 ): void {
   try {
     addRule(msg.toolName, msg.pattern, msg.scope, msg.decision);
-    log.info({ tool: msg.toolName, pattern: msg.pattern, scope: msg.scope, decision: msg.decision }, 'Trust rule added via client');
+    log.info({ toolName: msg.toolName, pattern: msg.pattern, scope: msg.scope, decision: msg.decision }, 'Trust rule added via client');
   } catch (err) {
-    log.error({ err }, 'Failed to add trust rule');
+    log.error({ err, toolName: msg.toolName, pattern: msg.pattern, scope: msg.scope }, 'Failed to add trust rule via client');
   }
 }
 
@@ -425,6 +426,8 @@ export function handleTwilioWebhookConfig(
       const resetTimer = setTimeout(() => { ctx.setSuppressConfigReload(false); }, CONFIG_RELOAD_DEBOUNCE_MS);
       ctx.debounceTimers.set('__suppress_reset__', resetTimer);
       ctx.send(socket, { type: 'twilio_webhook_config_response', webhookBaseUrl: value, success: true });
+    } else {
+      ctx.send(socket, { type: 'twilio_webhook_config_response', webhookBaseUrl: '', success: false, error: `Unknown action: ${String((msg as unknown as Record<string, unknown>).action)}` });
     }
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
@@ -432,6 +435,51 @@ export function handleTwilioWebhookConfig(
   }
 }
 
+export function handleIngressConfig(
+  msg: IngressConfigRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  try {
+    if (msg.action === 'get') {
+      const raw = loadRawConfig();
+      const ingress = (raw?.ingress ?? {}) as Record<string, unknown>;
+      const publicBaseUrl = (ingress.publicBaseUrl as string) ?? '';
+      ctx.send(socket, { type: 'ingress_config_response', publicBaseUrl, success: true });
+    } else if (msg.action === 'set') {
+      const value = (msg.publicBaseUrl ?? '').trim().replace(/\/+$/, '');
+      const raw = loadRawConfig();
+
+      // Update ingress.publicBaseUrl
+      const ingress = (raw?.ingress ?? {}) as Record<string, unknown>;
+      ingress.publicBaseUrl = value || undefined;
+
+      // Also update calls.webhookBaseUrl for backward compat
+      const calls = (raw?.calls ?? {}) as Record<string, unknown>;
+      calls.webhookBaseUrl = value || undefined;
+
+      const wasSuppressed = ctx.suppressConfigReload;
+      ctx.setSuppressConfigReload(true);
+      try {
+        saveRawConfig({ ...raw, ingress, calls });
+      } catch (err) {
+        ctx.setSuppressConfigReload(wasSuppressed);
+        throw err;
+      }
+      const existingSuppressTimer = ctx.debounceTimers.get('__suppress_reset__');
+      if (existingSuppressTimer) clearTimeout(existingSuppressTimer);
+      const resetTimer = setTimeout(() => { ctx.setSuppressConfigReload(false); }, CONFIG_RELOAD_DEBOUNCE_MS);
+      ctx.debounceTimers.set('__suppress_reset__', resetTimer);
+      ctx.send(socket, { type: 'ingress_config_response', publicBaseUrl: value, success: true });
+    } else {
+      ctx.send(socket, { type: 'ingress_config_response', publicBaseUrl: '', success: false, error: `Unknown action: ${String((msg as unknown as Record<string, unknown>).action)}` });
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    ctx.send(socket, { type: 'ingress_config_response', publicBaseUrl: '', success: false, error: message });
+  }
+}
+
 export function handleVercelApiConfig(
   msg: VercelApiConfigRequest,
   socket: net.Socket,
@@ -658,6 +706,7 @@ export const configHandlers = defineHandlers({
   share_to_slack: handleShareToSlack,
   slack_webhook_config: handleSlackWebhookConfig,
   twilio_webhook_config: handleTwilioWebhookConfig,
+  ingress_config: handleIngressConfig,
   vercel_api_config: handleVercelApiConfig,
   twitter_integration_config: handleTwitterIntegrationConfig,
   env_vars_request: (_msg, socket, ctx) => handleEnvVarsRequest(socket, ctx),

package/src/daemon/handlers/sessions.ts

@@ -145,7 +145,7 @@ export function handleConfirmationResponse(
       ctx.touchSession(sessionId);
       session.handleConfirmationResponse(
         msg.requestId,
-        msg.decision as 'allow' | 'always_allow' | 'deny',
+        msg.decision,
         msg.selectedPattern,
         msg.selectedScope,
       );
@@ -158,7 +158,7 @@ export function handleConfirmationResponse(
     if (cuSession.hasPendingConfirmation(msg.requestId)) {
       cuSession.handleConfirmationResponse(
         msg.requestId,
-        msg.decision as 'allow' | 'always_allow' | 'deny',
+        msg.decision,
         msg.selectedPattern,
         msg.selectedScope,
       );

package/src/daemon/handlers/work-items.ts

@@ -426,8 +426,8 @@ export async function handleWorkItemRunTask(
   // Execute task asynchronously — lazily create a session inside the callback
   // using the conversationId provided by runTask, so the session references
   // the conversation that was actually inserted into the database.
+  let session: Awaited<ReturnType<typeof ctx.getOrCreateSession>> | null = null;
   try {
-    let session: Awaited<ReturnType<typeof ctx.getOrCreateSession>> | null = null;
     const result = await runTask(
       { taskId: workItem.taskId, workingDir: process.cwd(), approvedTools },
       async (conversationId, message, taskRunId) => {

package/src/daemon/ipc-contract-inventory.json

@@ -32,6 +32,7 @@
     "HistoryRequest",
     "HomeBaseGetRequest",
     "ImageGenModelSetRequest",
+    "IngressConfigRequest",
     "IntegrationConnectRequest",
     "IntegrationDisconnectRequest",
     "IntegrationListRequest",
@@ -142,6 +143,7 @@
     "GetSigningIdentityRequest",
     "HistoryResponse",
     "HomeBaseGetResponse",
+    "IngressConfigResponse",
     "IntegrationConnectResult",
     "IntegrationListResponse",
     "IpcBlobProbeResult",
@@ -255,6 +257,7 @@
     "history_request",
     "home_base_get",
     "image_gen_model_set",
+    "ingress_config",
     "integration_connect",
     "integration_disconnect",
     "integration_list",
@@ -365,6 +368,7 @@
     "get_signing_identity",
     "history_response",
     "home_base_get_response",
+    "ingress_config_response",
     "integration_connect_result",
     "integration_list_response",
     "ipc_blob_probe_result",

package/src/daemon/ipc-contract.ts

@@ -478,6 +478,12 @@ export interface TwilioWebhookConfigRequest {
   webhookBaseUrl?: string;
 }
 
+export interface IngressConfigRequest {
+  type: 'ingress_config';
+  action: 'get' | 'set';
+  publicBaseUrl?: string;
+}
+
 export interface VercelApiConfigRequest {
   type: 'vercel_api_config';
   action: 'get' | 'set' | 'delete';
@@ -942,6 +948,7 @@ export type ClientMessage =
   | ShareToSlackRequest
   | SlackWebhookConfigRequest
   | TwilioWebhookConfigRequest
+  | IngressConfigRequest
   | VercelApiConfigRequest
   | TwitterIntegrationConfigRequest
   | TwitterAuthStartRequest
@@ -1697,6 +1704,13 @@ export interface TwilioWebhookConfigResponse {
   error?: string;
 }
 
+export interface IngressConfigResponse {
+  type: 'ingress_config_response';
+  publicBaseUrl: string;
+  success: boolean;
+  error?: string;
+}
+
 export interface OpenUrl {
   type: 'open_url';
   url: string;
@@ -2015,7 +2029,7 @@ export interface WorkItemDeleteResponse {
   success: boolean;
 }
 
-export type WorkItemRunTaskErrorCode = 'not_found' | 'already_running' | 'invalid_status' | 'no_task';
+export type WorkItemRunTaskErrorCode = 'not_found' | 'already_running' | 'invalid_status' | 'no_task' | 'permission_required';
 
 export interface WorkItemRunTaskResponse {
   type: 'work_item_run_task_response';
@@ -2181,6 +2195,7 @@ export type ServerMessage =
   | ShareToSlackResponse
   | SlackWebhookConfigResponse
   | TwilioWebhookConfigResponse
+  | IngressConfigResponse
   | VercelApiConfigResponse
   | TwitterIntegrationConfigResponse
   | TwitterAuthResult

package/src/daemon/session-tool-setup.ts

@@ -14,6 +14,9 @@ import type { PermissionPrompter } from '../permissions/prompter.js';
 import type { SecretPrompter } from '../permissions/secret-prompter.js';
 import { addRule, findHighestPriorityRule } from '../permissions/trust-store.js';
 import { generateAllowlistOptions, generateScopeOptions, normalizeWebFetchUrl } from '../permissions/checker.js';
+import { getLogger } from '../util/logger.js';
+
+const log = getLogger('session-tool-setup');
 import { getAllToolDefinitions } from '../tools/registry.js';
 import { allUiSurfaceTools } from '../tools/ui-surface/definitions.js';
 import { coreAppProxyTools } from '../tools/apps/definitions.js';
@@ -248,10 +251,12 @@ export function createToolExecutor(
           req.principal,
         );
         if ((response.decision === 'always_allow' || response.decision === 'always_allow_high_risk') && response.selectedPattern && response.selectedScope) {
+          log.info({ toolName: 'cc:' + req.toolName, pattern: response.selectedPattern, scope: response.selectedScope, highRisk: response.decision === 'always_allow_high_risk' }, 'Persisting always-allow trust rule');
           addRule('cc:' + req.toolName, response.selectedPattern, response.selectedScope, 'allow', 100,
             response.decision === 'always_allow_high_risk' ? { allowHighRisk: true } : undefined);
         }
         if (response.decision === 'always_deny' && response.selectedPattern && response.selectedScope) {
+          log.info({ toolName: 'cc:' + req.toolName, pattern: response.selectedPattern, scope: response.selectedScope }, 'Persisting always-deny trust rule');
           addRule('cc:' + req.toolName, response.selectedPattern, response.selectedScope, 'deny');
         }
         return {
@@ -440,10 +445,12 @@ export function createProxyApprovalCallback(
 
     // Persist trust rule if the user chose "always allow" or "always deny"
     if ((response.decision === 'always_allow' || response.decision === 'always_allow_high_risk') && response.selectedPattern && response.selectedScope) {
+      log.info({ toolName, pattern: response.selectedPattern, scope: response.selectedScope, highRisk: response.decision === 'always_allow_high_risk' }, 'Persisting always-allow trust rule (proxy)');
       addRule(toolName, response.selectedPattern, response.selectedScope, 'allow', 100,
         response.decision === 'always_allow_high_risk' ? { allowHighRisk: true } : undefined);
     }
     if (response.decision === 'always_deny' && response.selectedPattern && response.selectedScope) {
+      log.info({ toolName, pattern: response.selectedPattern, scope: response.selectedScope }, 'Persisting always-deny trust rule (proxy)');
       addRule(toolName, response.selectedPattern, response.selectedScope, 'deny');
     }