diff --git a/assistant/src/__tests__/checker.test.ts b/assistant/src/__tests__/checker.test.ts
index 82c542c976c..6d1bda3aa06 100644
--- a/assistant/src/__tests__/checker.test.ts
+++ b/assistant/src/__tests__/checker.test.ts
@@ -231,6 +231,25 @@ describe("Permission Checker", () => {
         });
         expect(risk).toBe(RiskLevel.High);
       });
+
+      test("file_read of legacy signing key is high risk even when BASE_DATA_DIR relocates getProtectedDir()", async () => {
+        const savedBaseDataDir = process.env.BASE_DATA_DIR;
+        process.env.BASE_DATA_DIR = "/tmp/fake-instance-signing-key-test";
+        try {
+          const risk = await classifyRisk("file_read", {
+            path: join(
+              homedir(),
+              ".vellum",
+              "protected",
+              "actor-token-signing-key",
+            ),
+          });
+          expect(risk).toBe(RiskLevel.High);
+        } finally {
+          if (savedBaseDataDir === undefined) delete process.env.BASE_DATA_DIR;
+          else process.env.BASE_DATA_DIR = savedBaseDataDir;
+        }
+      });
     });
 
     // file_write is always low (sandboxed)
diff --git a/assistant/src/permissions/checker.ts b/assistant/src/permissions/checker.ts
index 7d9b034e60b..ed4e717db4f 100644
--- a/assistant/src/permissions/checker.ts
+++ b/assistant/src/permissions/checker.ts
@@ -966,11 +966,17 @@ function isActorTokenSigningKeyPath(
   if (!filePath) return false;
   const cwd = workingDir ?? process.cwd();
   const resolvedPath = resolve(cwd, filePath);
-  const signingKeyPaths = [
-    join(getProtectedDir(), "actor-token-signing-key"),
-    join(getDeprecatedDir(), "actor-token-signing-key"),
-    resolve(cwd, "deprecated", "actor-token-signing-key"),
-  ];
+  // Include both the per-instance protected dir AND the legacy global
+  // ~/.vellum/protected path so upgraded machines with a host-wide signing
+  // key still classify reads as High risk.
+  const signingKeyPaths = Array.from(
+    new Set([
+      join(homedir(), ".vellum", "protected", "actor-token-signing-key"),
+      join(getProtectedDir(), "actor-token-signing-key"),
+      join(getDeprecatedDir(), "actor-token-signing-key"),
+      resolve(cwd, "deprecated", "actor-token-signing-key"),
+    ]),
+  );
   return signingKeyPaths.includes(resolvedPath);
 }