@vellumai/assistant 0.10.2-dev.202606250318.5e7cfb0 → 0.10.2

package/src/telemetry/usage-telemetry-reporter.ts

@@ -28,7 +28,6 @@ import {
   assembleBoundedTurnTrace,
   isTurnSettled,
 } from "../memory/turn-trace-store.js";
-import { queryUnreportedWatchdogEvents } from "../memory/watchdog-events-store.js";
 import { VellumPlatformClient } from "../platform/client.js";
 import {
   getCachedShareAnalytics,
@@ -77,9 +76,6 @@ const CHECKPOINT_KEY_SKILL_LOADED_WATERMARK =
   "telemetry:skill_loaded:last_reported_at";
 const CHECKPOINT_KEY_SKILL_LOADED_WATERMARK_ID =
   "telemetry:skill_loaded:last_reported_id";
-const CHECKPOINT_KEY_WATCHDOG_WATERMARK = "telemetry:watchdog:last_reported_at";
-const CHECKPOINT_KEY_WATCHDOG_WATERMARK_ID =
-  "telemetry:watchdog:last_reported_id";
 // Written into the `*_id` watermark checkpoints by the opt-out flush branch.
 // Sorts lexicographically above every real row ID (all event stores generate
 // lowercase v4 UUIDs), so the compound cursor's same-millisecond arm
@@ -104,7 +100,6 @@ const WATERMARK_KEY_PAIRS: ReadonlyArray<readonly [string, string]> = [
     CHECKPOINT_KEY_SKILL_LOADED_WATERMARK,
     CHECKPOINT_KEY_SKILL_LOADED_WATERMARK_ID,
   ],
-  [CHECKPOINT_KEY_WATCHDOG_WATERMARK, CHECKPOINT_KEY_WATCHDOG_WATERMARK_ID],
 ];
 const REPORT_INTERVAL_MS = 5 * 60 * 1000;
 const INITIAL_FLUSH_DELAY_MS = 30_000; // Delay first flush to let CES handshake complete
@@ -128,37 +123,6 @@ export function setUsageTelemetryReporter(
   _instance = reporter;
 }
 
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-
-/**
- * Parse a stored `watchdog_events.detail` JSON text column into the object the
- * platform expects. Returns null for a null column or an unparseable/corrupted
- * blob (mirroring the turn `client` metadata parse: a bad blob emits null
- * rather than failing the batch). A non-object (e.g. a bare number or string)
- * also resolves to null, since the platform serializer treats `detail` as a
- * JSON object bag.
- */
-function parseWatchdogDetail(
-  raw: string | null,
-): Record<string, unknown> | null {
-  if (!raw) return null;
-  try {
-    const parsed = JSON.parse(raw) as unknown;
-    if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
-      return parsed as Record<string, unknown>;
-    }
-    return null;
-  } catch {
-    log.warn(
-      { rawDetail: raw.slice(0, 200) },
-      "Telemetry watchdog: failed to parse detail; emitting null",
-    );
-    return null;
-  }
-}
-
 // ---------------------------------------------------------------------------
 // Reporter
 // ---------------------------------------------------------------------------
@@ -343,8 +307,7 @@ export class UsageTelemetryReporter {
         undefined;
 
       // Read skill-loaded watermark (compound cursor: createdAt + id).
-      // Writes are gated on share_analytics consent, so opted-out rows
-      // cannot exist and the standard 0 default is safe.
+      // Brand-new table, so the standard 0 default is safe.
       const skillLoadedWatermark = Number(
         getMemoryCheckpoint(CHECKPOINT_KEY_SKILL_LOADED_WATERMARK) ?? "0",
       );
@@ -352,15 +315,6 @@ export class UsageTelemetryReporter {
         getMemoryCheckpoint(CHECKPOINT_KEY_SKILL_LOADED_WATERMARK_ID) ??
         undefined;
 
-      // Read watchdog watermark (compound cursor: createdAt + id).
-      // Writes are gated on share_analytics consent, so opted-out rows
-      // cannot exist and the standard 0 default is safe.
-      const watchdogWatermark = Number(
-        getMemoryCheckpoint(CHECKPOINT_KEY_WATCHDOG_WATERMARK) ?? "0",
-      );
-      const watchdogWatermarkId =
-        getMemoryCheckpoint(CHECKPOINT_KEY_WATCHDOG_WATERMARK_ID) ?? undefined;
-
       // Query unreported events
       const events = queryUnreportedUsageEvents(
         watermark,
@@ -397,11 +351,6 @@ export class UsageTelemetryReporter {
         skillLoadedWatermarkId,
         BATCH_SIZE,
       );
-      const watchdogEvents = queryUnreportedWatchdogEvents(
-        watchdogWatermark,
-        watchdogWatermarkId,
-        BATCH_SIZE,
-      );
 
       // Trace completeness barrier (trace-eligible owners only).
       //
@@ -469,8 +418,7 @@ export class UsageTelemetryReporter {
         onboardingEvents.length === 0 &&
         authFallbackEvents.length === 0 &&
         toolExecutedEvents.length === 0 &&
-        skillLoadedEvents.length === 0 &&
-        watchdogEvents.length === 0
+        skillLoadedEvents.length === 0
       )
         return;
 
@@ -494,7 +442,6 @@ export class UsageTelemetryReporter {
           authFallbackCount: authFallbackEvents.length,
           toolExecutedCount: toolExecutedEvents.length,
           skillLoadedCount: skillLoadedEvents.length,
-          watchdogCount: watchdogEvents.length,
         },
         "Telemetry flush: resolved auth context",
       );
@@ -727,23 +674,6 @@ export class UsageTelemetryReporter {
             assistant_version: APP_VERSION,
           }),
         ),
-        ...watchdogEvents.map(
-          (e): TelemetryEvent => ({
-            type: "watchdog",
-            daemon_event_id: e.id,
-            recorded_at: e.createdAt,
-            check_name: e.checkName,
-            value: e.value,
-            // `detail` is stored as JSON text; parse defensively so a
-            // corrupted blob never fails the batch flush. A parse failure
-            // emits null rather than dropping the event.
-            detail: parseWatchdogDetail(e.detail),
-            // `watchdog_events` has no record-time version column — same
-            // upload-time APP_VERSION stamping as the other non-llm_usage
-            // event types.
-            assistant_version: APP_VERSION,
-          }),
-        ),
       ];
 
       const organizationId = getPlatformOrganizationId() || undefined;
@@ -866,19 +796,6 @@ export class UsageTelemetryReporter {
         );
       }
 
-      // Advance watchdog watermark (compound cursor)
-      if (watchdogEvents.length > 0) {
-        const lastWatchdog = watchdogEvents[watchdogEvents.length - 1];
-        setMemoryCheckpoint(
-          CHECKPOINT_KEY_WATCHDOG_WATERMARK,
-          String(lastWatchdog.createdAt),
-        );
-        setMemoryCheckpoint(
-          CHECKPOINT_KEY_WATCHDOG_WATERMARK_ID,
-          lastWatchdog.id,
-        );
-      }
-
       // If we got a full batch of any type, there may be more — recurse.
       // Turns use the REPORTED count: when the completeness barrier truncates
       // the batch, the deferred turns must wait for a later flush (by which
@@ -891,8 +808,7 @@ export class UsageTelemetryReporter {
         onboardingEvents.length === BATCH_SIZE ||
         authFallbackEvents.length === BATCH_SIZE ||
         toolExecutedEvents.length === BATCH_SIZE ||
-        skillLoadedEvents.length === BATCH_SIZE ||
-        watchdogEvents.length === BATCH_SIZE
+        skillLoadedEvents.length === BATCH_SIZE
       ) {
         await this._doFlush(batchCount + 1);
       }

package/src/tools/ask-question/ask-question-tool.test.ts

@@ -206,35 +206,6 @@ describe("AskQuestionTool.execute", () => {
     expect(result.content).toBe("Question aborted");
   });
 
-  test("short-circuits without prompting when no interactive user is present", async () => {
-    setNextResult(singleCompleted({ decision: "option", optionId: "a" }));
-
-    const result = await askQuestionTool.execute(
-      validInput,
-      makeContext({ isInteractive: false }),
-    );
-
-    // The prompter must never be invoked — there is no one to answer, so the
-    // turn proceeds with defaults instead of parking on the response backstop.
-    expect(calls).toHaveLength(0);
-    expect(result.isError).toBe(false);
-    expect(result.content.toLowerCase()).toContain("no interactive user");
-  });
-
-  test("still prompts when isInteractive is true or unset", async () => {
-    setNextResult(singleCompleted({ decision: "option", optionId: "a" }));
-
-    // The short-circuit keys off an explicit `false`, not a missing flag, so an
-    // interactive turn (or one that never set the flag) still prompts.
-    await askQuestionTool.execute(
-      validInput,
-      makeContext({ isInteractive: true }),
-    );
-    await askQuestionTool.execute(validInput, makeContext());
-
-    expect(calls).toHaveLength(2);
-  });
-
   test("rejects a question with fewer than 2 options", async () => {
     setNextResult(singleCompleted({ decision: "option", optionId: "a" }));
     const result = await askQuestionTool.execute(

package/src/tools/ask-question/ask-question-tool.ts

@@ -182,19 +182,6 @@ export const askQuestionTool = {
 
     const questions: SingleQuestion[] = parsed.data.questions;
 
-    // No interactive user is present to answer (scheduled/headless/background
-    // turn). Don't park the turn on a prompt no one can resolve — proceed with
-    // defaults immediately. Non-interactive turns are already instructed not to
-    // ask (NON_INTERACTIVE_CONTEXT_BLOCK); this is the backstop for when the
-    // model asks anyway, so it doesn't wait out the full response timeout.
-    if (context.isInteractive === false) {
-      return {
-        content:
-          "No interactive user is present to answer; proceeding with reasonable defaults.",
-        isError: false,
-      };
-    }
-
     const prompter = new QuestionPrompter();
     const result = await prompter.prompt({
       conversationId: context.conversationId,

package/src/tools/executor.ts

@@ -528,8 +528,8 @@ export { isSideEffectTool } from "./side-effects.js";
  * handles cleanup before the executor wrapper trips.
  *
  * `ask_question` blocks on user input inside `execute()` via `QuestionPrompter`,
- * which waits up to `questionResponseTimeoutSec`. We give the wrapper the same
- * 5s buffer over that deadline so the prompter's own timeout fires first and
+ * which waits up to `permissionTimeoutSec`. We give the wrapper the same 5s
+ * buffer over that deadline so the prompter's own timeout fires first and
  * returns its clean "User did not respond within timeout" result — otherwise
  * the shorter generic budget trips first, orphaning the still-pending prompt
  * behind the confusing "may still be running in the background" error.
@@ -556,8 +556,8 @@ export function computePerToolTimeoutMs(
     return (shellTimeoutSec + 5) * 1000;
   }
   if (name === "ask_question") {
-    const { questionResponseTimeoutSec } = getConfig().timeouts;
-    return (questionResponseTimeoutSec + 5) * 1000;
+    const { permissionTimeoutSec } = getConfig().timeouts;
+    return (permissionTimeoutSec + 5) * 1000;
   }
   const rawTimeoutSec = getConfig().timeouts.toolExecutionTimeoutSec;
   return safeTimeoutMs(rawTimeoutSec);

package/src/tools/registry.ts

@@ -826,20 +826,6 @@ export function getWorkspaceToolNames(): string[] {
     .map((t) => t.name);
 }
 
-/**
- * Return tool definitions for all currently registered workspace-origin
- * tools. Used by the conversation tool resolver to re-read workspace tools
- * from the registry each turn, the same way {@link getMcpToolDefinitions}
- * lets a conversation pick up MCP tools registered after it was created —
- * here so reconciled edits under `<workspaceDir>/tools/` are picked up
- * without recreating the conversation.
- */
-export function getWorkspaceToolDefinitions(): Tool[] {
-  return Array.from(tools.values()).filter(
-    (t) => ownersByName.get(t.name)?.kind === "workspace",
-  );
-}
-
 /**
  * Return the names of core tools currently stripped via workspace
  * `.removed` sentinels — i.e. names where the stash holds an entry but
@@ -982,10 +968,6 @@ export async function initializeTools(): Promise<void> {
   // Workspace tools land after the core snapshot above so they're never
   // baked into the test-reset baseline.
   //
-  // `loadWorkspaceTools` is idempotent: this is the first reconcile, and
-  // conversation reads re-run it later to pick up on-disk edits without a
-  // restart (see workspace-tools/loader.ts).
-  //
   // Imported dynamically because the loader imports back from this module
   // (registerWorkspaceTools / removeCoreToolViaWorkspace); a static import
   // here would create a registry ↔ loader cycle.

package/src/tools/shared/filesystem/path-policy.ts

@@ -20,16 +20,6 @@ export type PathFailureReason = "not_absolute" | "out_of_bounds" | "denied";
  */
 const DENIED_BASENAMES = new Set([".backup.key", "backup.key"]);
 
-/**
- * Whether a path's basename is on the denylist of files the assistant must
- * never read or write. Shared so callers that walk the filesystem (e.g.
- * `code_search`) apply the same denylist as `sandboxPolicy`/`hostPolicy`,
- * keeping the three in sync.
- */
-export function isDeniedBasename(path: string): boolean {
-  return DENIED_BASENAMES.has(basename(path));
-}
-
 export type PathResult =
   | { ok: true; resolved: string }
   | { ok: false; reason: PathFailureReason; error: string };
@@ -148,7 +138,10 @@ export function sandboxPolicy(
 
   // Check both the logical path and the symlink-resolved path so a symlink
   // with a non-denied name pointing at a denied file is still caught.
-  if (isDeniedBasename(resolved) || isDeniedBasename(realResolved)) {
+  if (
+    DENIED_BASENAMES.has(basename(resolved)) ||
+    DENIED_BASENAMES.has(basename(realResolved))
+  ) {
     return {
       ok: false,
       reason: "denied",
@@ -175,7 +168,7 @@ export function hostPolicy(rawPath: string): PathResult {
       error: `path must be absolute for host file access: ${rawPath}`,
     };
   }
-  if (isDeniedBasename(rawPath)) {
+  if (DENIED_BASENAMES.has(basename(rawPath))) {
     return {
       ok: false,
       reason: "denied",

package/src/tools/tool-approval-handler.ts

@@ -553,7 +553,7 @@ export class ToolApprovalHandler {
         const inputDigest =
           deferredConsumeParams?.inputDigest ??
           computeToolApprovalDigest(name, input);
-        const escalation = await createOrReuseToolGrantRequest({
+        const escalation = createOrReuseToolGrantRequest({
           assistantId: context.assistantId,
           sourceChannel: context.executionChannel as ChannelId,
           conversationId: context.conversationId,

package/src/tools/tool-defaults.ts

@@ -10,7 +10,6 @@
  * is a `Tool` (`Required<ToolDefinition>`).
  */
 
-import { resolveExecutionTarget } from "./execution-target.js";
 import type {
   RiskLevel,
   Tool,
@@ -31,10 +30,7 @@ import type {
  *   are rejected at the JSON-schema layer.
  * - `executionTarget` defaults to `sandbox` — author-supplied tool code
  *   runs in the assistant container by default; opt in to `host` when
- *   the tool proxies work to the connected client. The name-prefix
- *   heuristic (`host_*` / `computer_use_*` resolves to host) is applied
- *   by `resolveExecutionTarget` in `finalizeTool`, so a tool named
- *   `host_my_thing` defaults to host even without an explicit field.
+ *   the tool proxies work to the connected client.
  * - `category` defaults to empty — Slack channel `allowedToolCategories`
  *   policy denies uncategorized tools when a category allow-list is set,
  *   which is the correct deny-by-default for tools the author didn't
@@ -94,10 +90,8 @@ export function finalizeTool(tool: ToolDefinition, defaultName = ""): Tool {
           content: `tool ${name} has no execute implementation`,
           isError: true,
         });
-  const executionTarget =
-    tool.executionTarget ?? resolveExecutionTarget({ name });
+  const executionTarget = tool.executionTarget ?? TOOL_DEFAULTS.executionTarget;
   const category = tool.category ?? TOOL_DEFAULTS.category;
-  const exclusive = tool.exclusive ?? false;
   return {
     ...tool,
     name,
@@ -107,6 +101,5 @@ export function finalizeTool(tool: ToolDefinition, defaultName = ""): Tool {
     executionTarget,
     execute,
     category,
-    exclusive,
   };
 }

package/src/tools/tool-manifest.ts

@@ -18,7 +18,6 @@ import { runAuthenticatedCommandTool } from "./credential-execution/run-authenti
 import { fileEditTool } from "./filesystem/edit.js";
 import { fileListTool } from "./filesystem/list.js";
 import { fileReadTool } from "./filesystem/read.js";
-import { codeSearchTool } from "./filesystem/search.js";
 import { fileWriteTool } from "./filesystem/write.js";
 import { recallTool, rememberTool } from "./memory/register.js";
 import { webFetchTool } from "./network/web-fetch.js";
@@ -60,7 +59,6 @@ export const eagerModuleToolNames: string[] = [
   "file_write",
   "file_edit",
   "file_list",
-  "code_search",
   "web_search",
   "web_fetch",
   "skill_execute",
@@ -83,7 +81,6 @@ export const explicitTools: ToolDefinition[] = [
   fileWriteTool,
   fileEditTool,
   fileListTool,
-  codeSearchTool,
   webFetchTool,
   webSearchTool,
   skillExecuteTool,

package/src/tools/types.ts

@@ -449,15 +449,6 @@ export const ToolDefinitionSchema = z.object({
       ) => Promise<ToolExecutionResult>
     >()
     .optional(),
-  /**
-   * When true, this tool runs alone in its turn. If the model emits it
-   * alongside other tool calls, the agent loop executes only this one and
-   * defers the siblings — returning them un-run with a benign notice — so the
-   * model incorporates this tool's output before acting on anything else. The
-   * `advisor` tool sets this so its guidance lands before the agent commits to
-   * a path. Default false (the loop runs sibling calls concurrently as usual).
-   */
-  exclusive: z.boolean().optional(),
 });
 
 /**
@@ -469,14 +460,8 @@ export const ToolDefinitionSchema = z.object({
  */
 export type ToolDefinition = z.infer<typeof ToolDefinitionSchema>;
 
-/**
- * Tool after the loader has derived its name and filled defaults. Every field
- * is required except `exclusive`, which stays optional — most tools never set
- * it, and the agent loop reads it as `?.exclusive === true`, so forcing every
- * hand-built `Tool` (MCP/meet/test fixtures) to carry it would be noise.
- */
-export type Tool = Required<Omit<ToolDefinition, "exclusive">> &
-  Pick<ToolDefinition, "exclusive">;
+/** Tool after the loader has derived its name and filled defaults. */
+export type Tool = Required<ToolDefinition>;
 
 /** The kind of extension that owns a tool. Core tools have no owner. */
 export type OwnerKind = "skill" | "mcp" | "plugin" | "workspace";