vellum 0.2.7 → 0.2.9

package/src/daemon/handlers/config.ts

@@ -19,7 +19,7 @@ import type {
   ReminderCancel,
   ShareToSlackRequest,
   SlackWebhookConfigRequest,
-  TwilioWebhookConfigRequest,
+  IngressConfigRequest,
   VercelApiConfigRequest,
   TwitterIntegrationConfigRequest,
 } from '../ipc-protocol.js';
@@ -89,11 +89,12 @@ export function handleModelSet(
     // Suppress the file watcher callback — handleModelSet already does
     // the full reload sequence; a redundant watcher-triggered reload
     // would incorrectly evict sessions created after this method returns.
+    const wasSuppressed = ctx.suppressConfigReload;
     ctx.setSuppressConfigReload(true);
     try {
       saveRawConfig(raw);
     } catch (err) {
-      ctx.setSuppressConfigReload(false);
+      ctx.setSuppressConfigReload(wasSuppressed);
       throw err;
     }
     const existingSuppressTimer = ctx.debounceTimers.get('__suppress_reset__');
@@ -138,11 +139,12 @@ export function handleImageGenModelSet(
     const raw = loadRawConfig();
     raw.imageGenModel = msg.model;
 
+    const wasSuppressed = ctx.suppressConfigReload;
     ctx.setSuppressConfigReload(true);
     try {
       saveRawConfig(raw);
     } catch (err) {
-      ctx.setSuppressConfigReload(false);
+      ctx.setSuppressConfigReload(wasSuppressed);
       throw err;
     }
     const existingSuppressTimer = ctx.debounceTimers.get('__suppress_reset__');
@@ -165,9 +167,9 @@ export function handleAddTrustRule(
 ): void {
   try {
     addRule(msg.toolName, msg.pattern, msg.scope, msg.decision);
-    log.info({ tool: msg.toolName, pattern: msg.pattern, scope: msg.scope, decision: msg.decision }, 'Trust rule added via client');
+    log.info({ toolName: msg.toolName, pattern: msg.pattern, scope: msg.scope, decision: msg.decision }, 'Trust rule added via client');
   } catch (err) {
-    log.error({ err }, 'Failed to add trust rule');
+    log.error({ err, toolName: msg.toolName, pattern: msg.pattern, scope: msg.scope }, 'Failed to add trust rule via client');
   }
 }
 
@@ -397,25 +399,40 @@ export function handleSlackWebhookConfig(
   }
 }
 
-export function handleTwilioWebhookConfig(
-  msg: TwilioWebhookConfigRequest,
+function computeLocalGatewayTarget(): string {
+  const portRaw = process.env.GATEWAY_PORT || '7830';
+  const port = Number(portRaw) || 7830;
+  return `http://127.0.0.1:${port}`;
+}
+
+export function handleIngressConfig(
+  msg: IngressConfigRequest,
   socket: net.Socket,
   ctx: HandlerContext,
 ): void {
+  const localGatewayTarget = computeLocalGatewayTarget();
   try {
     if (msg.action === 'get') {
       const raw = loadRawConfig();
-      const webhookBaseUrl = (raw?.calls as Record<string, unknown>)?.webhookBaseUrl as string ?? '';
-      ctx.send(socket, { type: 'twilio_webhook_config_response', webhookBaseUrl, success: true });
+      const ingress = (raw?.ingress ?? {}) as Record<string, unknown>;
+      const publicBaseUrl = (ingress.publicBaseUrl as string) ?? '';
+      ctx.send(socket, { type: 'ingress_config_response', publicBaseUrl, localGatewayTarget, success: true });
     } else if (msg.action === 'set') {
-      const value = (msg.webhookBaseUrl ?? '').trim().replace(/\/+$/, '');
+      const value = (msg.publicBaseUrl ?? '').trim().replace(/\/+$/, '');
       const raw = loadRawConfig();
-      const calls = (raw?.calls ?? {}) as Record<string, unknown>;
-      calls.webhookBaseUrl = value || undefined;
+
+      // Update ingress.publicBaseUrl — this is the single source of truth for
+      // the canonical public ingress URL. The gateway receives this value via
+      // the INGRESS_PUBLIC_BASE_URL env var at spawn time (see hatch.ts).
+      // A gateway restart is required for the new value to take effect in
+      // inbound Twilio signature validation.
+      const ingress = (raw?.ingress ?? {}) as Record<string, unknown>;
+      ingress.publicBaseUrl = value || undefined;
+
       const wasSuppressed = ctx.suppressConfigReload;
       ctx.setSuppressConfigReload(true);
       try {
-        saveRawConfig({ ...raw, calls });
+        saveRawConfig({ ...raw, ingress });
       } catch (err) {
         ctx.setSuppressConfigReload(wasSuppressed);
         throw err;
@@ -424,11 +441,26 @@ export function handleTwilioWebhookConfig(
       if (existingSuppressTimer) clearTimeout(existingSuppressTimer);
       const resetTimer = setTimeout(() => { ctx.setSuppressConfigReload(false); }, CONFIG_RELOAD_DEBOUNCE_MS);
       ctx.debounceTimers.set('__suppress_reset__', resetTimer);
-      ctx.send(socket, { type: 'twilio_webhook_config_response', webhookBaseUrl: value, success: true });
+
+      // Propagate to the gateway's process environment so it picks up the
+      // new URL on its next config load. For the local-deployment path the
+      // gateway runs as a child process that inherited the assistant's env,
+      // so updating process.env here ensures the value is visible when the
+      // gateway is restarted (e.g. by the self-upgrade skill or a manual
+      // `pkill -f gateway`).
+      if (value) {
+        process.env.INGRESS_PUBLIC_BASE_URL = value;
+      }
+      // When cleared, do NOT delete the env var — the original env-provided
+      // value (if any) serves as a fallback per the documented precedence model.
+
+      ctx.send(socket, { type: 'ingress_config_response', publicBaseUrl: value, localGatewayTarget, success: true });
+    } else {
+      ctx.send(socket, { type: 'ingress_config_response', publicBaseUrl: '', localGatewayTarget, success: false, error: `Unknown action: ${String((msg as unknown as Record<string, unknown>).action)}` });
     }
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
-    ctx.send(socket, { type: 'twilio_webhook_config_response', webhookBaseUrl: '', success: false, error: message });
+    ctx.send(socket, { type: 'ingress_config_response', publicBaseUrl: '', localGatewayTarget, success: false, error: message });
   }
 }
 
@@ -565,7 +597,7 @@ export function handleTwitterIntegrationConfig(
             type: 'twitter_integration_config_response',
             success: false,
             managedAvailable: false,
-            localClientConfigured: false,
+            localClientConfigured: !!previousClientId,
             connected: false,
             error: 'Failed to store client secret in secure storage',
           });
@@ -657,7 +689,7 @@ export const configHandlers = defineHandlers({
   reminder_cancel: handleReminderCancel,
   share_to_slack: handleShareToSlack,
   slack_webhook_config: handleSlackWebhookConfig,
-  twilio_webhook_config: handleTwilioWebhookConfig,
+  ingress_config: handleIngressConfig,
   vercel_api_config: handleVercelApiConfig,
   twitter_integration_config: handleTwitterIntegrationConfig,
   env_vars_request: (_msg, socket, ctx) => handleEnvVarsRequest(socket, ctx),

package/src/daemon/handlers/sessions.ts

@@ -145,7 +145,7 @@ export function handleConfirmationResponse(
       ctx.touchSession(sessionId);
       session.handleConfirmationResponse(
         msg.requestId,
-        msg.decision as 'allow' | 'always_allow' | 'deny',
+        msg.decision,
         msg.selectedPattern,
         msg.selectedScope,
       );
@@ -158,7 +158,7 @@ export function handleConfirmationResponse(
     if (cuSession.hasPendingConfirmation(msg.requestId)) {
       cuSession.handleConfirmationResponse(
         msg.requestId,
-        msg.decision as 'allow' | 'always_allow' | 'deny',
+        msg.decision,
         msg.selectedPattern,
         msg.selectedScope,
       );

package/src/daemon/handlers/shared.ts

@@ -75,6 +75,7 @@ export interface SubagentNotificationData {
   label: string;
   status: 'completed' | 'failed' | 'aborted';
   error?: string;
+  conversationId?: string;
 }
 
 export interface ParsedHistoryMessage {

package/src/daemon/handlers/subagents.ts

@@ -3,10 +3,11 @@
  */
 
 import * as net from 'node:net';
-import type { SubagentAbortRequest, SubagentStatusRequest, SubagentMessageRequest } from '../ipc-protocol.js';
+import type { SubagentAbortRequest, SubagentStatusRequest, SubagentMessageRequest, SubagentDetailRequest } from '../ipc-protocol.js';
+import * as conversationStore from '../../memory/conversation-store.js';
 import type { HandlerContext } from './shared.js';
 import { getSubagentManager } from '../../subagent/index.js';
-import { log, defineHandlers } from './shared.js';
+import { log, defineHandlers, isRecord } from './shared.js';
 
 export function handleSubagentAbort(
   msg: SubagentAbortRequest,
@@ -120,8 +121,90 @@ export function handleSubagentMessage(
   }
 }
 
+export function handleSubagentDetailRequest(
+  msg: SubagentDetailRequest,
+  socket: net.Socket,
+  ctx: HandlerContext,
+): void {
+  // Ownership check: reject if the socket has no bound session.
+  const callerSessionId = ctx.socketToSession.get(socket);
+  if (!callerSessionId) {
+    log.warn({ subagentId: msg.subagentId }, 'Detail request rejected: socket has no bound session');
+    return;
+  }
+
+  // If the subagent is still in memory, verify the caller owns it.
+  // After daemon restart getState() returns null — we allow the request
+  // since the conversationId itself acts as a capability token (the client
+  // only knows it because it was sent in a prior subagent_notification).
+  const manager = getSubagentManager();
+  const state = manager.getState(msg.subagentId);
+  if (state && state.config.parentSessionId !== callerSessionId) {
+    log.warn({ subagentId: msg.subagentId, callerSessionId }, 'Detail request rejected: subagent not owned by caller');
+    return;
+  }
+
+  const subagentMsgs = conversationStore.getMessages(msg.conversationId);
+
+  // Extract objective from the first user message
+  let objective: string | undefined;
+  const firstUser = subagentMsgs.find(m => m.role === 'user');
+  if (firstUser) {
+    try {
+      const parsed = JSON.parse(firstUser.content);
+      if (Array.isArray(parsed)) {
+        const textBlock = parsed.find((b: Record<string, unknown>) => isRecord(b) && b.type === 'text');
+        if (textBlock && typeof textBlock.text === 'string') {
+          objective = textBlock.text;
+        }
+      }
+    } catch { /* ignore */ }
+  }
+
+  // Extract events from both assistant and user messages.
+  // Subagent conversations are not consolidated, so tool_result blocks
+  // live in separate user-role messages following the assistant's tool_use.
+  const events: Array<{ type: string; content: string; toolName?: string; isError?: boolean }> = [];
+  const pendingTools = new Map<string, string>();
+  for (const m of subagentMsgs) {
+    if (m.role !== 'assistant' && m.role !== 'user') continue;
+    let content: unknown[];
+    try {
+      const parsed = JSON.parse(m.content);
+      content = Array.isArray(parsed) ? parsed : [];
+    } catch { continue; }
+
+    for (const block of content) {
+      if (!isRecord(block) || typeof block.type !== 'string') continue;
+      if (m.role === 'assistant' && block.type === 'text' && typeof block.text === 'string') {
+        events.push({ type: 'text', content: block.text });
+      } else if (block.type === 'tool_use') {
+        const name = typeof block.name === 'string' ? block.name : 'unknown';
+        const input = isRecord(block.input) ? block.input as Record<string, unknown> : {};
+        const id = typeof block.id === 'string' ? block.id : '';
+        events.push({ type: 'tool_use', content: JSON.stringify(input), toolName: name });
+        if (id) pendingTools.set(id, name);
+      } else if (block.type === 'tool_result') {
+        const toolUseId = typeof block.tool_use_id === 'string' ? block.tool_use_id : '';
+        const resultContent = typeof block.content === 'string' ? block.content : '';
+        const isError = block.is_error === true;
+        const toolName = toolUseId ? pendingTools.get(toolUseId) : undefined;
+        events.push({ type: 'tool_result', content: resultContent, toolName: toolName ?? 'unknown', isError });
+      }
+    }
+  }
+
+  ctx.send(socket, {
+    type: 'subagent_detail_response',
+    subagentId: msg.subagentId,
+    objective,
+    events,
+  });
+}
+
 export const subagentHandlers = defineHandlers({
   subagent_abort: handleSubagentAbort,
   subagent_status: handleSubagentStatus,
   subagent_message: handleSubagentMessage,
+  subagent_detail_request: handleSubagentDetailRequest,
 });

package/src/daemon/handlers/twitter-auth.ts

@@ -1,8 +1,10 @@
 import * as net from 'node:net';
-import { loadRawConfig } from '../../config/loader.js';
+import { loadRawConfig, loadConfig } from '../../config/loader.js';
 import { getSecureKey, setSecureKey, deleteSecureKey } from '../../security/secure-keys.js';
 import { startOAuth2Flow } from '../../security/oauth2.js';
+import { getPublicBaseUrl } from '../../inbound/public-ingress-urls.js';
 import { upsertCredentialMetadata, getCredentialMetadata } from '../../tools/credentials/metadata-store.js';
+import { ConfigError } from '../../util/errors.js';
 import type { TwitterAuthStartRequest, TwitterAuthStatusRequest } from '../ipc-protocol.js';
 import { log, defineHandlers, type HandlerContext } from './shared.js';
 import type { OAuth2Config } from '../../security/oauth2.js';
@@ -36,6 +38,33 @@ export async function handleTwitterAuthStart(
 
     const clientSecret = getSecureKey('credential:integration:twitter:oauth_client_secret') || undefined;
 
+    // Fail fast if no public ingress URL is configured — Twitter OAuth
+    // callbacks must route through the gateway, never via loopback.
+    let config;
+    try {
+      config = loadConfig();
+    } catch (err) {
+      const detail = err instanceof ConfigError ? err.message : String(err);
+      ctx.send(socket, {
+        type: 'twitter_auth_result',
+        success: false,
+        error: `Unable to load config: ${detail}`,
+      });
+      return;
+    }
+
+    try {
+      getPublicBaseUrl(config);
+    } catch {
+      ctx.send(socket, {
+        type: 'twitter_auth_result',
+        success: false,
+        error:
+          'Set ingress.publicBaseUrl (or INGRESS_PUBLIC_BASE_URL) so OAuth callbacks can route through /webhooks/oauth/callback on the gateway.',
+      });
+      return;
+    }
+
     const oauthConfig: OAuth2Config = {
       authUrl: 'https://twitter.com/i/oauth2/authorize',
       tokenUrl: 'https://api.x.com/2/oauth2/token',
@@ -49,7 +78,7 @@ export async function handleTwitterAuthStart(
       openUrl: (url: string) => {
         ctx.send(socket, { type: 'open_url', url });
       },
-    });
+    }, { callbackTransport: 'gateway' });
 
     // Verify identity via Twitter API before persisting any tokens
     let accountInfo: string;

package/src/daemon/handlers/work-items.ts

@@ -426,8 +426,8 @@ export async function handleWorkItemRunTask(
   // Execute task asynchronously — lazily create a session inside the callback
   // using the conversationId provided by runTask, so the session references
   // the conversation that was actually inserted into the database.
+  let session: Awaited<ReturnType<typeof ctx.getOrCreateSession>> | null = null;
   try {
-    let session: Awaited<ReturnType<typeof ctx.getOrCreateSession>> | null = null;
     const result = await runTask(
       { taskId: workItem.taskId, workingDir: process.cwd(), approvedTools },
       async (conversationId, message, taskRunId) => {

package/src/daemon/ipc-contract-inventory.json

@@ -32,6 +32,7 @@
     "HistoryRequest",
     "HomeBaseGetRequest",
     "ImageGenModelSetRequest",
+    "IngressConfigRequest",
     "IntegrationConnectRequest",
     "IntegrationDisconnectRequest",
     "IntegrationListRequest",
@@ -75,12 +76,12 @@
     "SkillsUpdateRequest",
     "SlackWebhookConfigRequest",
     "SubagentAbortRequest",
+    "SubagentDetailRequest",
     "SubagentMessageRequest",
     "SubagentStatusRequest",
     "SuggestionRequest",
     "TaskSubmit",
     "TrustRulesList",
-    "TwilioWebhookConfigRequest",
     "TwitterAuthStartRequest",
     "TwitterAuthStatusRequest",
     "TwitterIntegrationConfigRequest",
@@ -142,6 +143,7 @@
     "GetSigningIdentityRequest",
     "HistoryResponse",
     "HomeBaseGetResponse",
+    "IngressConfigResponse",
     "IntegrationConnectResult",
     "IntegrationListResponse",
     "IpcBlobProbeResult",
@@ -179,6 +181,7 @@
     "SkillsListResponse",
     "SkillsOperationResponse",
     "SlackWebhookConfigResponse",
+    "SubagentDetailResponse",
     "SubagentEvent",
     "SubagentSpawned",
     "SubagentStatusChanged",
@@ -192,7 +195,6 @@
     "ToolUseStart",
     "TraceEvent",
     "TrustRulesListResponse",
-    "TwilioWebhookConfigResponse",
     "TwitterAuthResult",
     "TwitterAuthStatusResponse",
     "TwitterIntegrationConfigResponse",
@@ -255,6 +257,7 @@
     "history_request",
     "home_base_get",
     "image_gen_model_set",
+    "ingress_config",
     "integration_connect",
     "integration_disconnect",
     "integration_list",
@@ -298,12 +301,12 @@
     "skills_update",
     "slack_webhook_config",
     "subagent_abort",
+    "subagent_detail_request",
     "subagent_message",
     "subagent_status",
     "suggestion_request",
     "task_submit",
     "trust_rules_list",
-    "twilio_webhook_config",
     "twitter_auth_start",
     "twitter_auth_status",
     "twitter_integration_config",
@@ -365,6 +368,7 @@
     "get_signing_identity",
     "history_response",
     "home_base_get_response",
+    "ingress_config_response",
     "integration_connect_result",
     "integration_list_response",
     "ipc_blob_probe_result",
@@ -402,6 +406,7 @@
     "skills_operation_response",
     "skills_state_changed",
     "slack_webhook_config_response",
+    "subagent_detail_response",
     "subagent_event",
     "subagent_spawned",
     "subagent_status_changed",
@@ -415,7 +420,6 @@
     "tool_use_start",
     "trace_event",
     "trust_rules_list_response",
-    "twilio_webhook_config_response",
     "twitter_auth_result",
     "twitter_auth_status_response",
     "twitter_integration_config_response",

package/src/daemon/ipc-contract.ts

@@ -472,10 +472,10 @@ export interface SlackWebhookConfigRequest {
   webhookUrl?: string;
 }
 
-export interface TwilioWebhookConfigRequest {
-  type: 'twilio_webhook_config';
+export interface IngressConfigRequest {
+  type: 'ingress_config';
   action: 'get' | 'set';
-  webhookBaseUrl?: string;
+  publicBaseUrl?: string;
 }
 
 export interface VercelApiConfigRequest {
@@ -941,7 +941,7 @@ export type ClientMessage =
   | ShareAppCloudRequest
   | ShareToSlackRequest
   | SlackWebhookConfigRequest
-  | TwilioWebhookConfigRequest
+  | IngressConfigRequest
   | VercelApiConfigRequest
   | TwitterIntegrationConfigRequest
   | TwitterAuthStartRequest
@@ -978,11 +978,8 @@ export type ClientMessage =
   | WorkItemCancelRequest
   | SubagentAbortRequest
   | SubagentStatusRequest
-  | SubagentMessageRequest;
-
-// ── Legacy integration IPC stubs ────────────────────────────────────
-// The macOS Settings panel still sends these messages. Stub types keep
-// the dispatch map happy until the client-side migration lands.
+  | SubagentMessageRequest
+  | SubagentDetailRequest;
 
 export interface IntegrationListRequest {
   type: 'integration_list';
@@ -1227,6 +1224,7 @@ export interface HistoryResponse {
       label: string;
       status: 'completed' | 'failed' | 'aborted';
       error?: string;
+      conversationId?: string;
     };
   }>;
 }
@@ -1690,9 +1688,11 @@ export interface SlackWebhookConfigResponse {
   error?: string;
 }
 
-export interface TwilioWebhookConfigResponse {
-  type: 'twilio_webhook_config_response';
-  webhookBaseUrl: string;
+export interface IngressConfigResponse {
+  type: 'ingress_config_response';
+  publicBaseUrl: string;
+  /** Read-only gateway target computed from GATEWAY_PORT env var (default 7830) + loopback host. */
+  localGatewayTarget: string;
   success: boolean;
   error?: string;
 }
@@ -2015,7 +2015,7 @@ export interface WorkItemDeleteResponse {
   success: boolean;
 }
 
-export type WorkItemRunTaskErrorCode = 'not_found' | 'already_running' | 'invalid_status' | 'no_task';
+export type WorkItemRunTaskErrorCode = 'not_found' | 'already_running' | 'invalid_status' | 'no_task' | 'permission_required';
 
 export interface WorkItemRunTaskResponse {
   type: 'work_item_run_task_response';
@@ -2180,7 +2180,7 @@ export type ServerMessage =
   | GalleryInstallResponse
   | ShareToSlackResponse
   | SlackWebhookConfigResponse
-  | TwilioWebhookConfigResponse
+  | IngressConfigResponse
   | VercelApiConfigResponse
   | TwitterIntegrationConfigResponse
   | TwitterAuthResult
@@ -2219,7 +2219,8 @@ export type ServerMessage =
   | OpenTasksWindow
   | SubagentSpawned
   | SubagentStatusChanged
-  | SubagentEvent;
+  | SubagentEvent
+  | SubagentDetailResponse;
 
 // === Subagent IPC ─────────────────────────────────────────────────────
 
@@ -2239,6 +2240,18 @@ export interface SubagentStatusChanged {
   usage?: UsageStats;
 }
 
+export interface SubagentDetailResponse {
+  type: 'subagent_detail_response';
+  subagentId: string;
+  objective?: string;
+  events: Array<{
+    type: string;
+    content: string;
+    toolName?: string;
+    isError?: boolean;
+  }>;
+}
+
 /** Wraps any ServerMessage emitted by a subagent session for routing to the client. */
 export interface SubagentEvent {
   type: 'subagent_event';
@@ -2265,6 +2278,12 @@ export interface SubagentMessageRequest {
   content: string;
 }
 
+export interface SubagentDetailRequest {
+  type: 'subagent_detail_request';
+  subagentId: string;
+  conversationId: string;
+}
+
 // === Contract schema ===
 
 export interface IPCContractSchema {

package/src/daemon/lifecycle.ts

@@ -316,6 +316,14 @@ export async function runDaemon(): Promise<void> {
   await initializeTools();
   log.info('Daemon startup: providers and tools initialized');
 
+  // Start the IPC socket BEFORE Qdrant so that clients can connect
+  // immediately. Qdrant startup can take 30+ seconds (binary download,
+  // /readyz polling) which previously blocked the socket from appearing.
+  log.info('Daemon startup: starting DaemonServer (IPC socket)');
+  const server = new DaemonServer();
+  await server.start();
+  log.info('Daemon startup: DaemonServer started');
+
   // Initialize Qdrant vector store — non-fatal so the daemon stays up without it
   const qdrantUrl = process.env.QDRANT_URL?.trim() || config.memory.qdrant.url;
   log.info({ qdrantUrl }, 'Daemon startup: initializing Qdrant');
@@ -336,10 +344,7 @@ export async function runDaemon(): Promise<void> {
     log.warn({ err }, 'Qdrant failed to start — memory features will be unavailable');
   }
 
-  log.info('Daemon startup: starting DaemonServer (IPC socket)');
-  const server = new DaemonServer();
-  await server.start();
-  log.info('Daemon startup: DaemonServer started, starting memory worker');
+  log.info('Daemon startup: starting memory worker');
   const memoryWorker = startMemoryJobsWorker();
   // Initialize watcher engine and register providers
   registerWatcherProvider(gmailProvider);

package/src/daemon/server.ts

@@ -39,6 +39,7 @@ import { getSubagentManager } from '../subagent/index.js';
 import { tryHandlePendingCallAnswer } from '../calls/call-bridge.js';
 import { resolveSlash } from './session-slash.js';
 import { createUserMessage, createAssistantMessage } from '../agent/message-types.js';
+import { registerDaemonCallbacks } from '../work-items/work-item-runner.js';
 
 const log = getLogger('server');
 
@@ -184,6 +185,12 @@ export class DaemonServer {
 
     this.evictor.start();
 
+    // Register daemon callbacks so tools can trigger work item execution
+    registerDaemonCallbacks({
+      getOrCreateSession: (conversationId) => this.getOrCreateSession(conversationId),
+      broadcast: (msg) => this.broadcast(msg),
+    });
+
     ensureBlobDir();
     this.blobSweepTimer = setInterval(() => {
       sweepStaleBlobs(30 * 60 * 1000).catch((err) => {

package/src/daemon/session-tool-setup.ts

@@ -14,6 +14,9 @@ import type { PermissionPrompter } from '../permissions/prompter.js';
 import type { SecretPrompter } from '../permissions/secret-prompter.js';
 import { addRule, findHighestPriorityRule } from '../permissions/trust-store.js';
 import { generateAllowlistOptions, generateScopeOptions, normalizeWebFetchUrl } from '../permissions/checker.js';
+import { getLogger } from '../util/logger.js';
+
+const log = getLogger('session-tool-setup');
 import { getAllToolDefinitions } from '../tools/registry.js';
 import { allUiSurfaceTools } from '../tools/ui-surface/definitions.js';
 import { coreAppProxyTools } from '../tools/apps/definitions.js';
@@ -248,10 +251,12 @@ export function createToolExecutor(
           req.principal,
         );
         if ((response.decision === 'always_allow' || response.decision === 'always_allow_high_risk') && response.selectedPattern && response.selectedScope) {
+          log.info({ toolName: 'cc:' + req.toolName, pattern: response.selectedPattern, scope: response.selectedScope, highRisk: response.decision === 'always_allow_high_risk' }, 'Persisting always-allow trust rule');
           addRule('cc:' + req.toolName, response.selectedPattern, response.selectedScope, 'allow', 100,
             response.decision === 'always_allow_high_risk' ? { allowHighRisk: true } : undefined);
         }
         if (response.decision === 'always_deny' && response.selectedPattern && response.selectedScope) {
+          log.info({ toolName: 'cc:' + req.toolName, pattern: response.selectedPattern, scope: response.selectedScope }, 'Persisting always-deny trust rule');
           addRule('cc:' + req.toolName, response.selectedPattern, response.selectedScope, 'deny');
         }
         return {
@@ -277,7 +282,7 @@ export function createToolExecutor(
 
     // Broadcast tasks_changed so connected clients (e.g. macOS Tasks window)
     // auto-refresh when the LLM mutates the task queue via tools
-    if ((name === 'task_list_add' || name === 'task_list_update' || name === 'task_list_remove') && !result.isError) {
+    if ((name === 'task_list_add' || name === 'task_list_update' || name === 'task_list_remove' || name === 'task_queue_run') && !result.isError) {
       broadcastToAllClients?.({ type: 'tasks_changed' });
     }
 
@@ -440,10 +445,12 @@ export function createProxyApprovalCallback(
 
     // Persist trust rule if the user chose "always allow" or "always deny"
     if ((response.decision === 'always_allow' || response.decision === 'always_allow_high_risk') && response.selectedPattern && response.selectedScope) {
+      log.info({ toolName, pattern: response.selectedPattern, scope: response.selectedScope, highRisk: response.decision === 'always_allow_high_risk' }, 'Persisting always-allow trust rule (proxy)');
       addRule(toolName, response.selectedPattern, response.selectedScope, 'allow', 100,
         response.decision === 'always_allow_high_risk' ? { allowHighRisk: true } : undefined);
     }
     if (response.decision === 'always_deny' && response.selectedPattern && response.selectedScope) {
+      log.info({ toolName, pattern: response.selectedPattern, scope: response.selectedScope }, 'Persisting always-deny trust rule (proxy)');
       addRule(toolName, response.selectedPattern, response.selectedScope, 'deny');
     }