@vellumai/assistant 0.3.15 → 0.3.18

package/src/daemon/session-queue-manager.ts

@@ -25,6 +25,8 @@ export interface QueuedMessage {
   isInteractive?: boolean;
   /** Timestamp (ms) when the message was enqueued. */
   queuedAt: number;
+  /** Original user message text to persist to DB when recording intent stripping produced a different `content`. */
+  displayContent?: string;
 }
 
 export const MAX_QUEUE_DEPTH = 10;

package/src/daemon/session-runtime-assembly.ts

@@ -25,6 +25,10 @@ export interface ChannelCapabilities {
   supportsDynamicUi: boolean;
   /** Whether the channel supports voice/microphone input. */
   supportsVoiceInput: boolean;
+  /** Push-to-talk activation key (e.g. 'fn', 'ctrl', 'fn_shift', 'none'). Only present on desktop clients. */
+  pttActivationKey?: string;
+  /** Whether the client has been granted microphone permission by the OS. */
+  microphonePermissionGranted?: boolean;
 }
 
 /** Guardian identity/trust context for external chat channels. */
@@ -39,10 +43,26 @@ export interface GuardianRuntimeContext {
   denialReason?: 'no_binding' | 'no_identity';
 }
 
+/** Allowed push-to-talk activation key values. Used to validate client-provided keys before system-prompt injection. */
+const PTT_KEY_ALLOWLIST = new Set(['fn', 'ctrl', 'fn_shift', 'none']);
+
+/** Validate a PTT activation key against the allowlist. Returns the key if valid, 'unknown' otherwise. */
+export function sanitizePttActivationKey(key: string | undefined | null): string | undefined {
+  if (key == null) return undefined;
+  return PTT_KEY_ALLOWLIST.has(key) ? key : 'unknown';
+}
+
+/** Optional PTT metadata provided by the client alongside each message. */
+export interface PttMetadata {
+  pttActivationKey?: string;
+  microphonePermissionGranted?: boolean;
+}
+
 /** Derive channel capabilities from source channel + interface identifiers. */
 export function resolveChannelCapabilities(
   sourceChannel?: string | null,
   sourceInterface?: string | null,
+  pttMetadata?: PttMetadata | null,
 ): ChannelCapabilities {
   // Normalise legacy pseudo-channel IDs to canonical ChannelId values.
   let channel: string;
@@ -85,6 +105,8 @@ export function resolveChannelCapabilities(
         dashboardCapable: supportsDesktopUi,
         supportsDynamicUi: supportsDesktopUi,
         supportsVoiceInput: supportsDesktopUi,
+        pttActivationKey: sanitizePttActivationKey(pttMetadata?.pttActivationKey),
+        microphonePermissionGranted: pttMetadata?.microphonePermissionGranted,
       };
     }
     case 'telegram':
@@ -334,6 +356,23 @@ export function injectChannelCapabilityContext(message: Message, caps: ChannelCa
     lines.push('- Do NOT ask the user to use voice or microphone input.');
   }
 
+  // PTT state — only relevant on channels that support voice input
+  if (caps.supportsVoiceInput) {
+    if (caps.pttActivationKey && caps.pttActivationKey !== 'none') {
+      const keyLabel = caps.pttActivationKey === 'fn_shift' ? 'Fn+Shift' : caps.pttActivationKey === 'fn' ? 'Fn (Globe)' : caps.pttActivationKey;
+      lines.push(`ptt_activation_key: ${caps.pttActivationKey}`);
+      lines.push(`ptt_enabled: true`);
+      lines.push(`Push-to-talk is configured with the ${keyLabel} key. The user can hold ${keyLabel} to dictate text or start a voice conversation.`);
+    } else if (caps.pttActivationKey === 'none') {
+      lines.push(`ptt_activation_key: none`);
+      lines.push(`ptt_enabled: false`);
+      lines.push('Push-to-talk is disabled. You can offer to enable it for the user.');
+    }
+    if (caps.microphonePermissionGranted !== undefined) {
+      lines.push(`microphone_permission_granted: ${caps.microphonePermissionGranted}`);
+    }
+  }
+
   lines.push('</channel_capabilities>');
 
   const block = lines.join('\n');

package/src/daemon/session-skill-tools.ts

@@ -282,17 +282,18 @@ export function projectSkillTools(
     );
 
     if (tools.length > 0) {
+      let accepted = tools;
       const prevHash = prevActive.get(skillId);
       if (prevHash === undefined) {
         // Newly active skill — register for the first time
-        registerSkillTools(tools);
+        accepted = registerSkillTools(tools);
       } else if (prevHash !== currentHash) {
         // Hash changed — unregister stale tools, then re-register with new definitions
         log.info({ skillId, prevHash, currentHash }, 'Skill version changed, re-registering tools');
         unregisterSkillTools(skillId);
         alreadyUnregistered.add(skillId);
         try {
-          registerSkillTools(tools);
+          accepted = registerSkillTools(tools);
         } catch (err) {
           log.error({ err, skillId }, 'Failed to re-register skill tools after version change');
           // Don't add to successfulEntries — will be cleaned up as transiently-failed
@@ -306,12 +307,20 @@ export function projectSkillTools(
         if (existing && existing.ownerSkillBundled !== (skill.bundled ?? undefined)) {
           log.info({ skillId, bundled: skill.bundled }, 'Skill bundled status changed, re-registering tools');
           unregisterSkillTools(skillId);
-          registerSkillTools(tools);
+          accepted = registerSkillTools(tools);
+        } else {
+          // Filter to only tools that are actually registered for this skill.
+          // Some tools may have been skipped during initial registration due
+          // to core-name collisions — don't let them leak back in.
+          accepted = tools.filter((t) => {
+            const reg = getTool(t.name);
+            return reg !== undefined && reg.origin === 'skill' && reg.ownerSkillId === skillId;
+          });
         }
       }
 
       successfulEntries.set(skillId, currentHash);
-      for (const tool of tools) {
+      for (const tool of accepted) {
         allToolDefinitions.push(tool.getDefinition());
         allToolNames.add(tool.name);
       }

package/src/daemon/session-tool-setup.ts

@@ -117,12 +117,11 @@ export function createToolExecutor(
       forcePromptSideEffects: ctx.memoryPolicy.strictSideEffects,
       onToolLifecycleEvent: handleToolLifecycleEvent,
       sendToClient: (msg) => {
-        const serverMsg = msg as unknown as ServerMessage;
-        ctx.sendToClient(serverMsg);
-        // Auto-track ui_surface_show for history persistence, mirroring what
-        // session-surfaces.ts does when sending surfaces through its own path.
-        if (serverMsg.type === 'ui_surface_show') {
-          const s = serverMsg as unknown as UiSurfaceShow;
+        // Tool context's sendToClient uses a loose { type: string; [key: string]: unknown }
+        // signature, but at runtime these are always ServerMessage instances.
+        ctx.sendToClient(msg as ServerMessage);
+        if (msg.type === 'ui_surface_show') {
+          const s = msg as unknown as UiSurfaceShow;
           ctx.currentTurnSurfaces.push({
             surfaceId: s.surfaceId,
             surfaceType: s.surfaceType,

package/src/daemon/session.ts

@@ -397,8 +397,9 @@ export class Session {
     currentPage?: string,
     metadata?: Record<string, unknown>,
     options?: { isInteractive?: boolean },
+    displayContent?: string,
   ): { queued: boolean; rejected?: boolean; requestId: string } {
-    return enqueueMessageImpl(this, content, attachments, onEvent, requestId, activeSurfaceId, currentPage, metadata, options);
+    return enqueueMessageImpl(this, content, attachments, onEvent, requestId, activeSurfaceId, currentPage, metadata, options, displayContent);
   }
 
   getQueueDepth(): number {
@@ -425,6 +426,14 @@ export class Session {
     return this.prompter.hasPendingRequest(requestId);
   }
 
+  hasAnyPendingConfirmation(): boolean {
+    return this.prompter.hasPending;
+  }
+
+  denyAllPendingConfirmations(): void {
+    this.prompter.denyAllPending();
+  }
+
   hasPendingSecret(requestId: string): boolean {
     return this.secretPrompter.hasPendingRequest(requestId);
   }
@@ -489,13 +498,14 @@ export class Session {
     return this.currentTurnInterfaceContext;
   }
 
-  persistUserMessage(
+  async persistUserMessage(
     content: string,
     attachments: UserMessageAttachment[],
     requestId?: string,
     metadata?: Record<string, unknown>,
-  ): string {
-    return persistUserMessageImpl(this, content, attachments, requestId, metadata);
+    displayContent?: string,
+  ): Promise<string> {
+    return persistUserMessageImpl(this, content, attachments, requestId, metadata, displayContent);
   }
 
   // ── Agent Loop ───────────────────────────────────────────────────
@@ -504,14 +514,14 @@ export class Session {
     content: string,
     userMessageId: string,
     onEvent: (msg: ServerMessage) => void,
-    options?: { skipPreMessageRollback?: boolean; isInteractive?: boolean },
+    options?: { skipPreMessageRollback?: boolean; isInteractive?: boolean; titleText?: string },
   ): Promise<void> {
     return runAgentLoopImpl(this, content, userMessageId, onEvent, options);
   }
 
 
-  drainQueue(reason: QueueDrainReason = 'loop_complete'): void {
-    drainQueueImpl(this as ProcessSessionContext, reason);
+  drainQueue(reason: QueueDrainReason = 'loop_complete'): Promise<void> {
+    return drainQueueImpl(this as ProcessSessionContext, reason);
   }
 
   async processMessage(
@@ -522,8 +532,9 @@ export class Session {
     activeSurfaceId?: string,
     currentPage?: string,
     options?: { isInteractive?: boolean },
+    displayContent?: string,
   ): Promise<string> {
-    return processMessageImpl(this as ProcessSessionContext, content, attachments, onEvent, requestId, activeSurfaceId, currentPage, options);
+    return processMessageImpl(this as ProcessSessionContext, content, attachments, onEvent, requestId, activeSurfaceId, currentPage, options, displayContent);
   }
 
   // ── History ──────────────────────────────────────────────────────

package/src/daemon/tls-certs.ts

@@ -42,6 +42,8 @@ function computeFingerprint(cert: X509Certificate): string {
   return cert.fingerprint256.replace(/:/g, '').toLowerCase();
 }
 
+type CertStatus = 'valid' | 'approaching_expiry' | 'invalid';
+
 /**
  * Check whether an existing cert+key pair is valid:
  * - All three files exist (cert, key, fingerprint)
@@ -49,8 +51,12 @@ function computeFingerprint(cert: X509Certificate): string {
  * - Cert is not expired
  * - Fingerprint file exists and matches the cert
  * - Private key is valid and matches the certificate
+ *
+ * Returns 'valid' if the cert is good, 'approaching_expiry' if it's still usable
+ * but expires within 30 days (renewal should be attempted), or 'invalid' if the
+ * cert cannot be used at all.
  */
-async function isExistingCertValid(): Promise<boolean> {
+async function checkCertStatus(): Promise<CertStatus> {
   const certPath = getTlsCertPath();
   const keyPath = getTlsKeyPath();
   const fpPath = getTlsFingerprintPath();
@@ -63,7 +69,7 @@ async function isExistingCertValid(): Promise<boolean> {
   ]);
 
   if (!certExists || !keyExists || !fpExists) {
-    return false;
+    return 'invalid';
   }
 
   try {
@@ -76,17 +82,18 @@ async function isExistingCertValid(): Promise<boolean> {
     const x509 = new X509Certificate(certPem);
 
     // Check expiration
+    const now = new Date();
     const notAfter = new Date(x509.validTo);
-    if (notAfter <= new Date()) {
+    if (notAfter <= now) {
       log.info('Existing TLS certificate has expired, will regenerate');
-      return false;
+      return 'invalid';
     }
 
     // Check fingerprint matches
     const actualFp = computeFingerprint(x509);
     if (actualFp !== storedFp.trim()) {
       log.info('TLS fingerprint mismatch, will regenerate');
-      return false;
+      return 'invalid';
     }
 
     // Verify the private key is valid and matches the certificate's public key.
@@ -95,13 +102,20 @@ async function isExistingCertValid(): Promise<boolean> {
     const privateKey = createPrivateKey(keyPem);
     if (!x509.checkPrivateKey(privateKey)) {
       log.info('TLS private key does not match certificate, will regenerate');
-      return false;
+      return 'invalid';
     }
 
-    return true;
+    // Cert is structurally valid — check if it's approaching expiry
+    const thirtyDaysMs = 30 * 24 * 60 * 60 * 1000;
+    if (notAfter.getTime() - now.getTime() < thirtyDaysMs) {
+      log.info('TLS certificate approaching expiry, will attempt renewal');
+      return 'approaching_expiry';
+    }
+
+    return 'valid';
   } catch (err) {
     log.warn({ err }, 'Failed to validate existing TLS certificate, will regenerate');
-    return false;
+    return 'invalid';
   }
 }
 
@@ -125,8 +139,9 @@ export async function ensureTlsCert(): Promise<{ cert: string; key: string; fing
   const keyPath = getTlsKeyPath();
   const fpPath = getTlsFingerprintPath();
 
-  // Check if existing cert is still valid
-  if (await isExistingCertValid()) {
+  const status = await checkCertStatus();
+
+  if (status === 'valid') {
     const [cert, key, fingerprint] = await Promise.all([
       readFile(certPath, 'utf-8'),
       readFile(keyPath, 'utf-8'),
@@ -136,7 +151,39 @@ export async function ensureTlsCert(): Promise<{ cert: string; key: string; fing
     return { cert, key, fingerprint: fingerprint.trim() };
   }
 
-  // Generate new cert
+  if (status === 'approaching_expiry') {
+    try {
+      // Buffer existing cert/key/fingerprint before attempting renewal.
+      // generateNewCert() overwrites key.pem in-place, so if it fails mid-flight
+      // (e.g., key written but cert generation fails), reading from disk in the
+      // catch block would return a mismatched key/cert pair.
+      const [existingCert, existingKey, existingFp] = await Promise.all([
+        readFile(certPath, 'utf-8'),
+        readFile(keyPath, 'utf-8'),
+        readFile(fpPath, 'utf-8'),
+      ]);
+      try {
+        return await generateNewCert(tlsDir, certPath, keyPath, fpPath);
+      } catch (err) {
+        log.warn({ err }, 'Proactive TLS renewal failed, continuing with existing certificate');
+        return { cert: existingCert, key: existingKey, fingerprint: existingFp.trim() };
+      }
+    } catch (err) {
+      log.warn({ err }, 'Failed to read existing TLS cert for buffering, attempting regeneration');
+      return await generateNewCert(tlsDir, certPath, keyPath, fpPath);
+    }
+  }
+
+  // status === 'invalid' — must regenerate, no fallback
+  return await generateNewCert(tlsDir, certPath, keyPath, fpPath);
+}
+
+async function generateNewCert(
+  tlsDir: string,
+  certPath: string,
+  keyPath: string,
+  fpPath: string,
+): Promise<{ cert: string; key: string; fingerprint: string }> {
   log.info('Generating new self-signed TLS certificate');
   await mkdir(tlsDir, { recursive: true });
 
@@ -151,13 +198,13 @@ export async function ensureTlsCert(): Promise<{ cert: string; key: string; fing
     throw new Error(`Failed to generate TLS key: ${stderr}`);
   }
 
-  // Generate self-signed cert (10-year validity)
+  // Generate self-signed cert (1-year validity)
   const certProc = Bun.spawn(
     [
       'openssl', 'req', '-new', '-x509',
       '-key', keyPath,
       '-out', certPath,
-      '-days', '3650',
+      '-days', '365',
       '-subj', '/CN=Vellum Daemon',
     ],
     { stdout: 'pipe', stderr: 'pipe' },

package/src/daemon/tool-side-effects.ts

@@ -11,6 +11,7 @@ import { updatePublishedAppDeployment } from '../services/published-app-updater.
 import { openAppViaSurface } from '../tools/apps/open-proxy.js';
 import type { ToolExecutionResult } from '../tools/types.js';
 import { isDoordashCommand, updateDoordashProgress } from './doordash-steps.js';
+import { normalizeActivationKey } from './handlers/config-voice.js';
 import type { ServerMessage } from './ipc-protocol.js';
 import {
   refreshSurfacesForApp,
@@ -74,11 +75,6 @@ registerHook('app_update', (_name, input, _result, { ctx, broadcastToAllClients
   }
 });
 
-// Tell the client to open/focus the tasks window when the model lists tasks
-registerHook('task_list_show', (_name, _input, _result, { ctx }) => {
-  ctx.sendToClient({ type: 'open_tasks_window' });
-});
-
 // Broadcast tasks_changed so connected clients (e.g. macOS Tasks window)
 // auto-refresh when the LLM mutates the task queue via tools
 registerHook(
@@ -101,6 +97,18 @@ registerHook(
   },
 );
 
+// Broadcast activation key change to all connected clients so every
+// macOS/iOS instance picks up the new setting immediately.
+registerHook('voice_config_update', (_name, input, _result, { broadcastToAllClients }) => {
+  const key = input.activation_key as string | undefined;
+  if (key) {
+    const normalized = normalizeActivationKey(key);
+    if (normalized.ok) {
+      broadcastToAllClients?.({ type: 'client_settings_update', key: 'activationKey', value: normalized.value });
+    }
+  }
+});
+
 // ── Runner ───────────────────────────────────────────────────────────
 
 /**

package/src/gallery/default-gallery.ts

@@ -107,8 +107,8 @@ const focusTimerHtml = `<!DOCTYPE html>
   <div class="mode-label" id="modeLabel">Work Session</div>
   <div class="timer-display" id="timerDisplay">25:00</div>
   <div class="controls">
-    <button class="btn-primary" id="startBtn" onclick="toggleTimer()">Start</button>
-    <button class="btn-secondary" id="resetBtn" onclick="resetTimer()">Reset</button>
+    <button class="btn-primary" id="startBtn">Start</button>
+    <button class="btn-secondary" id="resetBtn">Reset</button>
   </div>
   <div class="stats">
     <div class="stat-item">
@@ -184,6 +184,9 @@ const focusTimerHtml = `<!DOCTYPE html>
     updateDisplay();
   }
 
+  document.getElementById('startBtn').addEventListener('click', toggleTimer);
+  document.getElementById('resetBtn').addEventListener('click', resetTimer);
+
   updateDisplay();
 </script>
 </body>
@@ -334,8 +337,8 @@ const habitTrackerHtml = `<!DOCTYPE html>
   <h1>Habit Tracker</h1>
 </div>
 <div class="add-form">
-  <input type="text" id="habitInput" placeholder="Add a new habit..." onkeydown="if(event.key==='Enter')addHabit()">
-  <button class="btn-primary" onclick="addHabit()">Add</button>
+  <input type="text" id="habitInput" placeholder="Add a new habit...">
+  <button class="btn-primary" id="addHabitBtn">Add</button>
 </div>
 <div class="days-header">
   <div></div>
@@ -387,12 +390,12 @@ const habitTrackerHtml = `<!DOCTYPE html>
       html += '<div class="habit-row">';
       html += '<div style="display:flex;align-items:center;gap:8px">';
       html += '<span class="habit-name">' + escapeHtml(record.data.name) + '</span>';
-      html += '<button class="delete-btn" onclick="deleteHabit(\\''+record.id+'\\')">x</button>';
+      html += '<button class="delete-btn" data-delete-habit="'+record.id+'">x</button>';
       html += '</div>';
       dates.forEach(function(date) {
         var checked = completedDates.indexOf(date) !== -1;
         html += '<div class="check-cell">';
-        html += '<button class="check-btn' + (checked ? ' checked' : '') + '" onclick="toggleDate(\\''+record.id+'\\',\\''+date+'\\')">';
+        html += '<button class="check-btn' + (checked ? ' checked' : '') + '" data-toggle-habit="'+record.id+'" data-toggle-date="'+date+'">';
         html += checked ? '\\u2713' : '';
         html += '</button></div>';
       });
@@ -438,6 +441,17 @@ const habitTrackerHtml = `<!DOCTYPE html>
     });
   }
 
+  document.getElementById('habitInput').addEventListener('keydown', function(event) {
+    if (event.key === 'Enter') addHabit();
+  });
+  document.getElementById('addHabitBtn').addEventListener('click', addHabit);
+  document.getElementById('habitsList').addEventListener('click', function(event) {
+    var btn = event.target.closest('[data-delete-habit]');
+    if (btn) { deleteHabit(btn.getAttribute('data-delete-habit')); return; }
+    var toggle = event.target.closest('[data-toggle-habit]');
+    if (toggle) { toggleDate(toggle.getAttribute('data-toggle-habit'), toggle.getAttribute('data-toggle-date')); }
+  });
+
   initDates();
   loadHabits();
 </script>
@@ -629,9 +643,9 @@ const expenseTrackerHtml = `<!DOCTYPE html>
     <option value="entertainment">Entertainment</option>
     <option value="other">Other</option>
   </select>
-  <input type="text" class="input-desc" id="descInput" placeholder="Description..." onkeydown="if(event.key==='Enter')addExpense()">
+  <input type="text" class="input-desc" id="descInput" placeholder="Description...">
   <input type="date" class="input-date" id="dateInput">
-  <button class="btn-primary" onclick="addExpense()">Add</button>
+  <button class="btn-primary" id="addExpenseBtn">Add</button>
 </div>
 <div class="section-title">By Category</div>
 <div class="categories-grid" id="categoriesGrid"></div>
@@ -693,7 +707,7 @@ const expenseTrackerHtml = `<!DOCTYPE html>
         listHtml += '<div class="expense-meta">' + escapeHtml(r.data.category || 'other') + ' \\u00B7 ' + escapeHtml(r.data.date || '') + '</div>';
         listHtml += '</div>';
         listHtml += '<div class="expense-amount">$' + amt.toFixed(2) + '</div>';
-        listHtml += '<button class="delete-btn" onclick="deleteExpense(\\''+r.id+'\\')">x</button>';
+        listHtml += '<button class="delete-btn" data-delete-expense="'+r.id+'">x</button>';
         listHtml += '</div>';
       });
     }
@@ -724,6 +738,15 @@ const expenseTrackerHtml = `<!DOCTYPE html>
     });
   }
 
+  document.getElementById('descInput').addEventListener('keydown', function(event) {
+    if (event.key === 'Enter') addExpense();
+  });
+  document.getElementById('addExpenseBtn').addEventListener('click', addExpense);
+  document.getElementById('expenseList').addEventListener('click', function(event) {
+    var btn = event.target.closest('[data-delete-expense]');
+    if (btn) { deleteExpense(btn.getAttribute('data-delete-expense')); }
+  });
+
   loadExpenses();
 </script>
 </body>

package/src/influencer/client.ts

@@ -47,6 +47,7 @@
 
 import type { ExtensionCommand, ExtensionResponse } from '../browser-extension-relay/protocol.js';
 import { extensionRelayServer } from '../browser-extension-relay/server.js';
+import { getGatewayInternalBaseUrl } from '../config/env.js';
 import { readHttpToken } from '../util/platform.js';
 
 // ---------------------------------------------------------------------------
@@ -133,7 +134,7 @@ async function sendRelayCommand(command: Record<string, unknown>): Promise<Exten
     );
   }
 
-  const resp = await fetch('http://127.0.0.1:7821/v1/browser-relay/command', {
+  const resp = await fetch(`${getGatewayInternalBaseUrl()}/v1/browser-relay/command`, {
     method: 'POST',
     headers: {
       'Content-Type': 'application/json',