vellum 0.2.7 → 0.2.8

package/src/runtime/http-server.ts

@@ -12,7 +12,7 @@ import { ConfigError, IngressBlockedError } from '../util/errors.js';
 import { getLogger } from '../util/logger.js';
 import { TwilioConversationRelayProvider } from '../calls/twilio-provider.js';
 import { loadConfig } from '../config/loader.js';
-import { getWebhookBaseUrl } from '../calls/twilio-webhook-urls.js';
+import { getPublicBaseUrl } from '../inbound/public-ingress-urls.js';
 import type { RunOrchestrator } from './run-orchestrator.js';
 
 // Route handlers — grouped by domain
@@ -65,6 +65,7 @@ import {
 } from '../calls/twilio-routes.js';
 import { RelayConnection, activeRelayConnections } from '../calls/relay-server.js';
 import type { RelayWebSocketData } from '../calls/relay-server.js';
+import { consumeCallback, consumeCallbackError } from '../security/oauth-callback-registry.js';
 
 // Re-export shared types so existing consumers don't need to update imports
 export type {
@@ -137,6 +138,35 @@ const GATEWAY_SUBPATH_MAP: Record<string, string> = {
   'connect-action': 'connect-action',
 };
 
+/**
+ * Direct Twilio webhook subpaths that are blocked in gateway_only mode.
+ * Internal forwarding endpoints (gateway→runtime) are unaffected.
+ */
+const GATEWAY_ONLY_BLOCKED_SUBPATHS = new Set(['voice-webhook', 'status', 'connect-action']);
+
+/**
+ * Check if a request origin is from localhost / loopback.
+ */
+function isLoopbackOrigin(req: Request): boolean {
+  const origin = req.headers.get('origin');
+  // No origin header (e.g., server-initiated or same-origin) — allow
+  if (!origin) return true;
+  try {
+    const url = new URL(origin);
+    const host = url.hostname;
+    return host === '127.0.0.1' || host === '::1' || host === 'localhost';
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Check if a hostname is a loopback address.
+ */
+function isLoopbackHost(hostname: string): boolean {
+  return hostname === '127.0.0.1' || hostname === '::1' || hostname === 'localhost';
+}
+
 /**
  * Validate a Twilio webhook request's X-Twilio-Signature header.
  *
@@ -186,7 +216,7 @@ async function validateTwilioWebhook(
   // used to compute the HMAC-SHA1 signature.
   let publicBaseUrl: string | undefined;
   try {
-    publicBaseUrl = getWebhookBaseUrl(loadConfig());
+    publicBaseUrl = getPublicBaseUrl(loadConfig());
   } catch {
     // No webhook base URL configured — fall back to using req.url as-is
   }
@@ -289,6 +319,19 @@ export class RuntimeHttpServer {
       }, 30_000);
     }
 
+    // Startup guard: log gateway-only mode warnings
+    try {
+      const config = loadConfig();
+      if (config.ingress.mode === 'gateway_only') {
+        log.info('Running in gateway-only ingress mode. Direct webhook routes disabled.');
+        if (!isLoopbackHost(this.hostname)) {
+          log.warn('gateway-only mode is enabled but RUNTIME_HTTP_HOST is not bound to loopback. This may expose the runtime to direct public access.');
+        }
+      }
+    } catch {
+      // Config loading may fail during startup — don't block server start
+    }
+
     log.info({ port: this.port, hostname: this.hostname, auth: !!this.bearerToken }, 'Runtime HTTP server listening');
   }
 
@@ -327,6 +370,15 @@ export class RuntimeHttpServer {
     // WebSocket upgrade for ConversationRelay — before auth check because
     // Twilio WebSocket connections don't use bearer tokens.
     if (path.startsWith('/v1/calls/relay') && req.headers.get('upgrade')?.toLowerCase() === 'websocket') {
+      // In gateway_only mode, only allow relay connections from localhost
+      const config = loadConfig();
+      if (config.ingress.mode === 'gateway_only' && !isLoopbackOrigin(req)) {
+        return Response.json(
+          { error: 'Direct relay access disabled in gateway-only mode', code: 'GATEWAY_ONLY' },
+          { status: 403 },
+        );
+      }
+
       const wsUrl = new URL(req.url);
       const callSessionId = wsUrl.searchParams.get('callSessionId');
       if (!callSessionId) {
@@ -356,6 +408,15 @@ export class RuntimeHttpServer {
     if (resolvedTwilioSubpath && req.method === 'POST') {
       const twilioSubpath = resolvedTwilioSubpath;
 
+      // In gateway_only mode, block direct Twilio webhook routes
+      const ingressConfig = loadConfig();
+      if (ingressConfig.ingress.mode === 'gateway_only' && GATEWAY_ONLY_BLOCKED_SUBPATHS.has(twilioSubpath)) {
+        return Response.json(
+          { error: 'Direct webhook access disabled in gateway-only mode. Use the gateway.', code: 'GATEWAY_ONLY' },
+          { status: 410 },
+        );
+      }
+
       // Validate Twilio request signature before dispatching
       const validation = await validateTwilioWebhook(req);
       if (validation instanceof Response) return validation;
@@ -628,6 +689,27 @@ export class RuntimeHttpServer {
         return await handleConnectAction(fakeReq);
       }
 
+      // ── Internal OAuth callback endpoint (gateway → runtime) ──
+      if (endpoint === 'internal/oauth/callback' && req.method === 'POST') {
+        const json = await req.json() as { state: string; code?: string; error?: string };
+        if (!json.state) {
+          return Response.json({ error: 'Missing state parameter' }, { status: 400 });
+        }
+        if (json.error) {
+          const consumed = consumeCallbackError(json.state, json.error);
+          return consumed
+            ? Response.json({ ok: true })
+            : Response.json({ error: 'Unknown state' }, { status: 404 });
+        }
+        if (json.code) {
+          const consumed = consumeCallback(json.state, json.code);
+          return consumed
+            ? Response.json({ ok: true })
+            : Response.json({ error: 'Unknown state' }, { status: 404 });
+        }
+        return Response.json({ error: 'Missing code or error parameter' }, { status: 400 });
+      }
+
       return Response.json({ error: 'Not found', source: 'runtime' }, { status: 404 });
     } catch (err) {
       if (err instanceof IngressBlockedError) {

package/src/security/oauth-callback-registry.ts

@@ -0,0 +1,56 @@
+/**
+ * In-memory registry for pending OAuth callback states.
+ * Used by the gateway-routed OAuth flow to resolve authorization codes
+ * back to the runtime code that initiated the OAuth handshake.
+ */
+
+interface PendingCallback {
+  resolve: (code: string) => void;
+  reject: (error: Error) => void;
+  timer: ReturnType<typeof setTimeout>;
+}
+
+const pendingCallbacks = new Map<string, PendingCallback>();
+const DEFAULT_TTL_MS = 5 * 60 * 1000; // 5 minutes
+
+export function registerPendingCallback(
+  state: string,
+  resolve: (code: string) => void,
+  reject: (error: Error) => void,
+  ttlMs = DEFAULT_TTL_MS,
+): void {
+  const timer = setTimeout(() => {
+    const entry = pendingCallbacks.get(state);
+    if (entry) {
+      pendingCallbacks.delete(state);
+      entry.reject(new Error('OAuth callback timed out'));
+    }
+  }, ttlMs);
+
+  pendingCallbacks.set(state, { resolve, reject, timer });
+}
+
+export function consumeCallback(state: string, code: string): boolean {
+  const entry = pendingCallbacks.get(state);
+  if (!entry) return false;
+  clearTimeout(entry.timer);
+  pendingCallbacks.delete(state);
+  entry.resolve(code);
+  return true;
+}
+
+export function consumeCallbackError(state: string, error: string): boolean {
+  const entry = pendingCallbacks.get(state);
+  if (!entry) return false;
+  clearTimeout(entry.timer);
+  pendingCallbacks.delete(state);
+  entry.reject(new Error(error));
+  return true;
+}
+
+export function clearAllCallbacks(): void {
+  for (const entry of pendingCallbacks.values()) {
+    clearTimeout(entry.timer);
+  }
+  pendingCallbacks.clear();
+}

package/src/security/oauth2.ts

@@ -1,6 +1,10 @@
 /**
  * General-purpose OAuth2 Authorization Code flow with PKCE.
  *
+ * Supports two callback transports:
+ *   - loopback: spins up a local HTTP server on 127.0.0.1 (default when no public URL configured)
+ *   - gateway:  uses the gateway's OAuth callback route + in-memory registry (when ingress.publicBaseUrl is set)
+ *
  * Moved from integrations/oauth2.ts. Types that were in integrations/types.ts
  * are now inlined here since the integration framework is removed.
  */
@@ -39,6 +43,11 @@ export interface OAuth2FlowCallbacks {
   openUrl: (url: string) => void;
 }
 
+export interface OAuth2FlowOptions {
+  /** Which callback transport to use. When omitted, auto-detected from config. */
+  callbackTransport?: 'loopback' | 'gateway';
+}
+
 export interface OAuth2FlowResult {
   tokens: OAuth2TokenResult;
   grantedScopes: string[];
@@ -62,20 +71,107 @@ function generateState(): string {
 }
 
 // ---------------------------------------------------------------------------
-// Public API
+// Token exchange (shared between transports)
+// ---------------------------------------------------------------------------
+
+async function exchangeCodeForTokens(
+  config: OAuth2Config,
+  code: string,
+  redirectUri: string,
+  codeVerifier: string,
+): Promise<OAuth2FlowResult> {
+  const usePKCE = !config.clientSecret;
+
+  const tokenBody: Record<string, string> = {
+    grant_type: 'authorization_code',
+    code,
+    redirect_uri: redirectUri,
+    client_id: config.clientId,
+  };
+  if (usePKCE) {
+    tokenBody.code_verifier = codeVerifier;
+  }
+  if (config.clientSecret) {
+    tokenBody.client_secret = config.clientSecret;
+  }
+
+  const tokenResp = await fetch(config.tokenUrl, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: new URLSearchParams(tokenBody),
+  });
+
+  if (!tokenResp.ok) {
+    const rawBody = await tokenResp.text().catch(() => '');
+    let safeDetail: Record<string, unknown> = {};
+    let errorCode = '';
+    try {
+      const parsed = JSON.parse(rawBody) as Record<string, unknown>;
+      if (parsed.error) { safeDetail.error = String(parsed.error); errorCode = String(parsed.error); }
+      if (parsed.error_description) safeDetail.error_description = String(parsed.error_description);
+    } catch {
+      safeDetail.error = '[non-JSON response]';
+    }
+    log.error({ status: tokenResp.status, ...safeDetail }, 'OAuth2 token exchange failed');
+    const detail = errorCode ? `HTTP ${tokenResp.status}: ${errorCode}` : `HTTP ${tokenResp.status}`;
+    throw new Error(`OAuth2 token exchange failed (${detail})`);
+  }
+
+  const tokenData = await tokenResp.json() as Record<string, unknown>;
+
+  // Slack V2 OAuth returns user tokens nested under `authed_user`
+  const authedUser = tokenData.authed_user as Record<string, unknown> | undefined;
+  const tokenSource = authedUser?.access_token ? authedUser : tokenData;
+
+  const tokens: OAuth2TokenResult = {
+    accessToken: (tokenSource.access_token as string) ?? (tokenData.access_token as string),
+    refreshToken: (tokenSource.refresh_token as string | undefined) ?? (tokenData.refresh_token as string | undefined),
+    expiresIn: (tokenSource.expires_in as number | undefined) ?? (tokenData.expires_in as number | undefined),
+    scope: (tokenSource.scope as string | undefined) ?? (tokenData.scope as string | undefined),
+    tokenType: (tokenSource.token_type as string | undefined) ?? (tokenData.token_type as string | undefined),
+  };
+
+  const grantedScopes = typeof tokens.scope === 'string'
+    ? tokens.scope.split(/[ ,]/).filter(Boolean)
+    : [...config.scopes];
+
+  return { tokens, grantedScopes, rawTokenResponse: tokenData };
+}
+
+// ---------------------------------------------------------------------------
+// Transport auto-detection
 // ---------------------------------------------------------------------------
 
 /**
- * Run a full OAuth2 PKCE authorization code flow using a loopback redirect.
+ * Determine which callback transport to use when not explicitly specified.
+ * Uses gateway if ingress.publicBaseUrl is configured, otherwise loopback.
  */
-export async function startOAuth2Flow(
+function detectTransport(): 'loopback' | 'gateway' {
+  try {
+    // Dynamic import avoided — loadConfig is synchronous and already used elsewhere.
+    const { loadConfig } = require('../config/loader.js') as typeof import('../config/loader.js');
+    const appConfig = loadConfig();
+    if (appConfig.ingress?.publicBaseUrl) {
+      return 'gateway';
+    }
+  } catch {
+    // Config loading failed — fall back to loopback
+    log.debug('Config not available for transport auto-detection, defaulting to loopback');
+  }
+  return 'loopback';
+}
+
+// ---------------------------------------------------------------------------
+// Loopback transport
+// ---------------------------------------------------------------------------
+
+async function runLoopbackFlow(
   config: OAuth2Config,
   callbacks: OAuth2FlowCallbacks,
+  codeVerifier: string,
+  codeChallenge: string,
+  state: string,
 ): Promise<OAuth2FlowResult> {
-  const codeVerifier = generateCodeVerifier();
-  const codeChallenge = generateCodeChallenge(codeVerifier);
-  const state = generateState();
-
   let resolveCode: (value: { code: string; returnedState: string }) => void;
   let rejectCode: (reason: Error) => void;
 
@@ -84,7 +180,6 @@ export async function startOAuth2Flow(
     rejectCode = reject;
   });
 
-  /** How long to wait for the user to complete the OAuth consent flow. */
   const FLOW_TIMEOUT_MS = 120_000;
 
   const timeout = setTimeout(() => {
@@ -153,64 +248,85 @@ export async function startOAuth2Flow(
       throw new Error('OAuth2 state mismatch — possible CSRF attack');
     }
 
-    const tokenBody: Record<string, string> = {
-      grant_type: 'authorization_code',
-      code,
-      redirect_uri: redirectUri,
-      client_id: config.clientId,
-    };
-    if (usePKCE) {
-      tokenBody.code_verifier = codeVerifier;
-    }
-    if (config.clientSecret) {
-      tokenBody.client_secret = config.clientSecret;
-    }
+    return await exchangeCodeForTokens(config, code, redirectUri, codeVerifier);
+  } finally {
+    clearTimeout(timeout);
+    server.stop(true);
+  }
+}
 
-    const tokenResp = await fetch(config.tokenUrl, {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-      body: new URLSearchParams(tokenBody),
-    });
+// ---------------------------------------------------------------------------
+// Gateway transport
+// ---------------------------------------------------------------------------
 
-    if (!tokenResp.ok) {
-      const rawBody = await tokenResp.text().catch(() => '');
-      let safeDetail: Record<string, unknown> = {};
-      let errorCode = '';
-      try {
-        const parsed = JSON.parse(rawBody) as Record<string, unknown>;
-        if (parsed.error) { safeDetail.error = String(parsed.error); errorCode = String(parsed.error); }
-        if (parsed.error_description) safeDetail.error_description = String(parsed.error_description);
-      } catch {
-        safeDetail.error = '[non-JSON response]';
-      }
-      log.error({ status: tokenResp.status, ...safeDetail }, 'OAuth2 token exchange failed');
-      const detail = errorCode ? `HTTP ${tokenResp.status}: ${errorCode}` : `HTTP ${tokenResp.status}`;
-      throw new Error(`OAuth2 token exchange failed (${detail})`);
-    }
+async function runGatewayFlow(
+  config: OAuth2Config,
+  callbacks: OAuth2FlowCallbacks,
+  codeVerifier: string,
+  codeChallenge: string,
+  state: string,
+): Promise<OAuth2FlowResult> {
+  const { loadConfig } = require('../config/loader.js') as typeof import('../config/loader.js');
+  const { getOAuthCallbackUrl } = require('../inbound/public-ingress-urls.js') as typeof import('../inbound/public-ingress-urls.js');
+  const { registerPendingCallback } = require('./oauth-callback-registry.js') as typeof import('./oauth-callback-registry.js');
 
-    const tokenData = await tokenResp.json() as Record<string, unknown>;
+  const appConfig = loadConfig();
+  const redirectUri = getOAuthCallbackUrl(appConfig);
 
-    // Slack V2 OAuth returns user tokens nested under `authed_user`
-    const authedUser = tokenData.authed_user as Record<string, unknown> | undefined;
-    const tokenSource = authedUser?.access_token ? authedUser : tokenData;
+  const codePromise = new Promise<string>((resolve, reject) => {
+    registerPendingCallback(state, resolve, reject);
+  });
 
-    const tokens: OAuth2TokenResult = {
-      accessToken: (tokenSource.access_token as string) ?? (tokenData.access_token as string),
-      refreshToken: (tokenSource.refresh_token as string | undefined) ?? (tokenData.refresh_token as string | undefined),
-      expiresIn: (tokenSource.expires_in as number | undefined) ?? (tokenData.expires_in as number | undefined),
-      scope: (tokenSource.scope as string | undefined) ?? (tokenData.scope as string | undefined),
-      tokenType: (tokenSource.token_type as string | undefined) ?? (tokenData.token_type as string | undefined),
-    };
+  const usePKCE = !config.clientSecret;
+  const authParams = new URLSearchParams({
+    ...config.extraParams,
+    client_id: config.clientId,
+    redirect_uri: redirectUri,
+    response_type: 'code',
+    scope: config.scopes.join(' '),
+    state,
+    ...(usePKCE ? { code_challenge: codeChallenge, code_challenge_method: 'S256' } : {}),
+  });
 
-    const grantedScopes = typeof tokens.scope === 'string'
-      ? tokens.scope.split(/[ ,]/).filter(Boolean)
-      : [...config.scopes];
+  const authUrl = `${config.authUrl}?${authParams}`;
+  callbacks.openUrl(authUrl);
 
-    return { tokens, grantedScopes, rawTokenResponse: tokenData };
-  } finally {
-    clearTimeout(timeout);
-    server.stop(true);
+  const code = await codePromise;
+
+  return await exchangeCodeForTokens(config, code, redirectUri, codeVerifier);
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Run a full OAuth2 authorization code flow with PKCE support.
+ *
+ * Supports two callback transports:
+ *   - loopback (default): local HTTP server on 127.0.0.1
+ *   - gateway: callback via the gateway's OAuth route + in-memory registry
+ *
+ * Transport is auto-detected based on ingress.publicBaseUrl config unless
+ * explicitly specified via options.callbackTransport.
+ */
+export async function startOAuth2Flow(
+  config: OAuth2Config,
+  callbacks: OAuth2FlowCallbacks,
+  options?: OAuth2FlowOptions,
+): Promise<OAuth2FlowResult> {
+  const codeVerifier = generateCodeVerifier();
+  const codeChallenge = generateCodeChallenge(codeVerifier);
+  const state = generateState();
+
+  const transport = options?.callbackTransport ?? detectTransport();
+  log.debug({ transport }, 'OAuth2 flow starting');
+
+  if (transport === 'gateway') {
+    return runGatewayFlow(config, callbacks, codeVerifier, codeChallenge, state);
   }
+
+  return runLoopbackFlow(config, callbacks, codeVerifier, codeChallenge, state);
 }
 
 /**

package/src/swarm/backend-claude-code.ts

@@ -117,7 +117,7 @@ export function createClaudeCodeBackend(): SwarmWorkerBackend {
 
               const parts: string[] = [`[${message.subtype}] (${message.num_turns} turns, ${(message.duration_ms / 1000).toFixed(1)}s)`];
               if (errors.length > 0) parts.push(`Errors: ${errors.join('; ')}`);
-              if (denials.length > 0) parts.push(`Permission denied: ${denials.map(d => d.tool_name).join(', ')}`);
+              if (denials.length > 0) parts.push(`Permission denied: ${denials.map((d: { tool_name: string }) => d.tool_name).join(', ')}`);
               resultText += `\n${parts.join('\n')}`;
             }
           }

package/src/tools/assets/search.ts

@@ -13,7 +13,7 @@ import type { Tool, ToolContext, ToolExecutionResult } from '../types.js';
 import type { ToolDefinition } from '../../providers/types.js';
 import { registerTool } from '../registry.js';
 import { getDb } from '../../memory/db.js';
-import { attachments, messageAttachments, messages, conversations, conversationKeys } from '../../memory/schema.js';
+import { attachments, messageAttachments, messages, conversations } from '../../memory/schema.js';
 import type { StoredAttachment } from '../../memory/attachments-store.js';
 import { isAttachmentVisible, type AttachmentContext } from '../../daemon/media-visibility-policy.js';
 import { getConversationThreadType } from '../../memory/conversation-store.js';
@@ -103,25 +103,6 @@ function isAttachmentVisibleFromContext(attachmentId: string, currentContext: At
   );
 }
 
-// ---------------------------------------------------------------------------
-// Assistant ID lookup
-// ---------------------------------------------------------------------------
-
-/**
- * Derive the assistant ID that owns a conversation via the conversation_keys
- * table. Returns null when no mapping exists (e.g. native macOS app sessions
- * that use the implicit 'local-assistant' identity).
- */
-function getAssistantIdForConversation(conversationId: string): string | null {
-  const db = getDb();
-  const row = db
-    .select({ assistantId: conversationKeys.assistantId })
-    .from(conversationKeys)
-    .where(eq(conversationKeys.conversationId, conversationId))
-    .get();
-  return row?.assistantId ?? null;
-}
-
 // ---------------------------------------------------------------------------
 // Search logic
 // ---------------------------------------------------------------------------
@@ -131,8 +112,6 @@ export interface AssetSearchParams {
   filename?: string;
   recency?: string;
   conversation_id?: string;
-  /** Tenant boundary — when set, only attachments belonging to this assistant are returned. */
-  assistant_id?: string;
   limit?: number;
 }
 
@@ -163,11 +142,6 @@ export function searchAttachments(params: AssetSearchParams): StoredAttachment[]
     }
   }
 
-  // Tenant boundary — restrict to the active assistant's attachments
-  if (params.assistant_id) {
-    conditions.push(eq(attachments.assistantId, params.assistant_id));
-  }
-
   // Conversation scope — join through message_attachments + messages
   if (params.conversation_id) {
     const linkedIds = db
@@ -207,11 +181,6 @@ export function searchAttachments(params: AssetSearchParams): StoredAttachment[]
         bindValues.push(Date.now() - offsetMs);
       }
     }
-    if (params.assistant_id) {
-      whereParts.push(`a.assistant_id = ?`);
-      bindValues.push(params.assistant_id);
-    }
-
     const limit = Math.min(params.limit ?? DEFAULT_LIMIT, MAX_RESULTS);
     const stmt = raw.prepare(
       `SELECT a.id, a.original_filename, a.mime_type, a.size_bytes, a.kind, a.thumbnail_base64, a.created_at
@@ -347,9 +316,6 @@ class AssetSearchTool implements Tool {
     }
 
     try {
-      // Scope results to the active assistant to prevent cross-tenant leaks
-      const assistantId = getAssistantIdForConversation(context.conversationId) ?? undefined;
-
       // Over-fetch with MAX_RESULTS so visibility filtering doesn't
       // under-fill the caller's requested limit.
       const results = searchAttachments({
@@ -357,7 +323,6 @@ class AssetSearchTool implements Tool {
         filename,
         recency,
         conversation_id: conversationId,
-        assistant_id: assistantId,
         limit: MAX_RESULTS,
       });
 

package/src/tools/claude-code/claude-code.ts

@@ -224,6 +224,7 @@ export const claudeCodeTool: Tool = {
 
     // Declared outside try so the catch block can emit a final tool_complete on error.
     let lastSubToolName: string | null = null;
+    let activeToolUseId: string | null = null;
 
     try {
       const conversation = query({ prompt, options: queryOptions });
@@ -235,8 +236,6 @@ export const claudeCodeTool: Tool = {
       const toolUseIdInfo = new Map<string, { name: string; inputSummary: string }>();
       // Track tool_use_ids that we've already emitted tool_start for (to avoid duplicates).
       const emittedToolUseIds = new Set<string>();
-      // Track the currently active tool_use_id from tool_progress events.
-      let activeToolUseId: string | null = null;
 
       for await (const message of conversation) {
         switch (message.type) {
@@ -379,7 +378,7 @@ export const claudeCodeTool: Tool = {
                 parts.push(`Errors: ${errors.join('; ')}`);
               }
               if (denials.length > 0) {
-                const denialSummary = denials.map(d => `${d.tool_name}`).join(', ');
+                const denialSummary = denials.map((d: { tool_name: string }) => `${d.tool_name}`).join(', ');
                 parts.push(`Permission denied: ${denialSummary}`);
               }
               resultText += `\n\n${parts.join('\n')}`;
@@ -406,6 +405,7 @@ export const claudeCodeTool: Tool = {
         context.onOutput?.(JSON.stringify({
           subType: 'tool_complete',
           subToolName: lastSubToolName,
+          subToolId: activeToolUseId,
           subToolIsError: true,
         }));
         lastSubToolName = null;

package/src/tools/tasks/work-item-list.ts

@@ -1,5 +1,17 @@
 import type { ToolContext, ToolExecutionResult } from '../types.js';
-import { listWorkItems, type WorkItemStatus } from '../../work-items/work-item-store.js';
+import { listWorkItems, type WorkItem, type WorkItemStatus } from '../../work-items/work-item-store.js';
+
+const PRIORITY_LABELS: Record<number, string> = { 0: 'High', 1: 'Medium', 2: 'Low' };
+
+function formatTaskList(items: WorkItem[]): string {
+  const lines: string[] = [];
+  for (const item of items) {
+    const priority = PRIORITY_LABELS[item.priorityTier] ?? 'Medium';
+    const status = item.status.replace(/_/g, ' ');
+    lines.push(`- [${priority}] ${item.title} (${status})`);
+  }
+  return lines.join('\n');
+}
 
 export async function executeTaskListShow(
   input: Record<string, unknown>,
@@ -33,7 +45,9 @@ export async function executeTaskListShow(
       ? `${count} ${Array.isArray(statusFilter) ? 'matching' : statusFilter} item${count === 1 ? '' : 's'}`
       : `${count} item${count === 1 ? '' : 's'}`;
 
-    return { content: `Opened Tasks window (${label}).`, isError: false };
+    const taskList = formatTaskList(items);
+
+    return { content: `Opened Tasks window (${label}).\n\nCurrent tasks:\n${taskList}`, isError: false };
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
     return { content: `Error: ${msg}`, isError: true };