@vellumai/assistant 0.3.16 → 0.3.19

package/src/notifications/deliveries-store.ts

@@ -28,6 +28,9 @@ export interface NotificationDeliveryRow {
   conversationId: string | null;
   messageId: string | null;
   conversationStrategy: string | null;
+  threadAction: string | null;
+  threadTargetConversationId: string | null;
+  threadDecisionFallbackUsed: number | null;
   clientDeliveryStatus: string | null;
   clientDeliveryError: string | null;
   clientDeliveryAt: number | null;
@@ -52,6 +55,9 @@ function rowToDelivery(row: typeof notificationDeliveries.$inferSelect): Notific
     conversationId: row.conversationId,
     messageId: row.messageId,
     conversationStrategy: row.conversationStrategy,
+    threadAction: row.threadAction,
+    threadTargetConversationId: row.threadTargetConversationId,
+    threadDecisionFallbackUsed: row.threadDecisionFallbackUsed,
     clientDeliveryStatus: row.clientDeliveryStatus,
     clientDeliveryError: row.clientDeliveryError,
     clientDeliveryAt: row.clientDeliveryAt,
@@ -76,6 +82,9 @@ export interface CreateDeliveryParams {
   conversationId?: string;
   messageId?: string;
   conversationStrategy?: string;
+  threadAction?: string;
+  threadTargetConversationId?: string;
+  threadDecisionFallbackUsed?: boolean;
 }
 
 /** Create a new delivery audit record. */
@@ -99,6 +108,9 @@ export function createDelivery(params: CreateDeliveryParams): NotificationDelive
     conversationId: params.conversationId ?? null,
     messageId: params.messageId ?? null,
     conversationStrategy: params.conversationStrategy ?? null,
+    threadAction: params.threadAction ?? null,
+    threadTargetConversationId: params.threadTargetConversationId ?? null,
+    threadDecisionFallbackUsed: params.threadDecisionFallbackUsed != null ? (params.threadDecisionFallbackUsed ? 1 : 0) : null,
     clientDeliveryStatus: null,
     clientDeliveryError: null,
     clientDeliveryAt: null,

package/src/notifications/emit-signal.ts

@@ -205,6 +205,7 @@ export async function emitNotificationSignal(params: EmitSignalParams): Promise<
 
     // Step 2: Evaluate the signal through the decision engine
     const connectedChannels = getConnectedChannels(assistantId);
+
     let decision = await evaluateSignal(signal, connectedChannels);
 
     // Step 2.5: Enforce routing intent policy (fire-time guard)

package/src/notifications/thread-candidates.ts

@@ -10,11 +10,10 @@
  * needs for a routing decision, not full conversation contents.
  */
 
-import { and, desc, eq, isNotNull } from 'drizzle-orm';
+import { and, count, desc, eq, inArray, isNotNull } from 'drizzle-orm';
 
 import { getDb } from '../memory/db.js';
-import { countPendingByConversation } from '../memory/guardian-approvals.js';
-import { conversations, notificationDeliveries, notificationDecisions, notificationEvents } from '../memory/schema.js';
+import { channelGuardianApprovalRequests, conversations, notificationDecisions, notificationDeliveries, notificationEvents } from '../memory/schema.js';
 import { getLogger } from '../util/logger.js';
 import type { NotificationChannel } from './types.js';
 
@@ -148,49 +147,78 @@ function buildCandidatesForChannel(
 
     seen.add(row.conversationId);
 
-    const candidate: ThreadCandidate = {
+    candidates.push({
       conversationId: row.conversationId,
       title: row.convTitle,
       updatedAt: row.convUpdatedAt,
       latestSourceEventName: row.sourceEventName ?? null,
       channel: channel,
-    };
-
-    // Enrich with guardian context
-    const guardianContext = buildGuardianContext(row.conversationId, assistantId);
-    if (guardianContext) {
-      candidate.guardianContext = guardianContext;
-    }
-
-    candidates.push(candidate);
+    });
 
     if (candidates.length >= MAX_CANDIDATES_PER_CHANNEL) break;
   }
 
+  // Batch-enrich all candidates with guardian context in a single query
+  if (candidates.length > 0) {
+    const pendingCounts = batchCountPendingByConversation(
+      candidates.map((c) => c.conversationId),
+      assistantId,
+    );
+    for (const candidate of candidates) {
+      const pendingCount = pendingCounts.get(candidate.conversationId) ?? 0;
+      if (pendingCount > 0) {
+        candidate.guardianContext = { pendingUnresolvedRequestCount: pendingCount };
+      }
+    }
+  }
+
   return candidates;
 }
 
 // -- Guardian context enrichment ----------------------------------------------
 
 /**
- * Build guardian-specific context for a candidate conversation.
- * Returns null when there is no guardian-relevant data.
+ * Batch-count pending guardian approval requests for multiple conversations
+ * in a single query. Returns a map from conversationId to pending count
+ * (only entries with count > 0 are included).
  */
-function buildGuardianContext(
-  conversationId: string,
+function batchCountPendingByConversation(
+  conversationIds: string[],
   assistantId: string,
-): GuardianCandidateContext | null {
+): Map<string, number> {
+  const result = new Map<string, number>();
+  if (conversationIds.length === 0) return result;
+
   try {
-    const pendingCount = countPendingByConversation(conversationId, assistantId);
-    if (pendingCount > 0) {
-      return { pendingUnresolvedRequestCount: pendingCount };
+    const db = getDb();
+
+    const rows = db
+      .select({
+        conversationId: channelGuardianApprovalRequests.conversationId,
+        count: count(),
+      })
+      .from(channelGuardianApprovalRequests)
+      .where(
+        and(
+          inArray(channelGuardianApprovalRequests.conversationId, conversationIds),
+          eq(channelGuardianApprovalRequests.status, 'pending'),
+          eq(channelGuardianApprovalRequests.assistantId, assistantId),
+        ),
+      )
+      .groupBy(channelGuardianApprovalRequests.conversationId)
+      .all();
+
+    for (const row of rows) {
+      if (row.count > 0) {
+        result.set(row.conversationId, row.count);
+      }
     }
   } catch (err) {
     const errMsg = err instanceof Error ? err.message : String(err);
-    log.warn({ err: errMsg, conversationId }, 'Failed to query guardian context for candidate');
+    log.warn({ err: errMsg }, 'Failed to batch-query guardian context for candidates');
   }
 
-  return null;
+  return result;
 }
 
 // -- Prompt serialization -----------------------------------------------------
@@ -213,13 +241,20 @@ export function serializeCandidatesForPrompt(candidateSet: ThreadCandidateSet):
 
     const lines: string[] = [`Channel: ${channel}`];
     for (const c of candidates) {
+      // Escape title to prevent format corruption from quotes or newlines in
+      // user/model-provided text. JSON.stringify produces a safe single-line
+      // quoted string; we strip the outer quotes since we wrap in our own.
+      const safeTitle = c.title
+        ? JSON.stringify(c.title).slice(1, -1)
+        : '(untitled)';
       const parts: string[] = [
         `  - id=${c.conversationId}`,
-        `title="${c.title ?? '(untitled)'}"`,
+        `title="${safeTitle}"`,
         `updated=${new Date(c.updatedAt).toISOString()}`,
       ];
       if (c.latestSourceEventName) {
-        parts.push(`lastEvent="${c.latestSourceEventName}"`);
+        const safeEventName = JSON.stringify(c.latestSourceEventName).slice(1, -1);
+        parts.push(`lastEvent="${safeEventName}"`);
       }
       if (c.guardianContext) {
         parts.push(`pendingRequests=${c.guardianContext.pendingUnresolvedRequestCount}`);

package/src/notifications/types.ts

@@ -95,13 +95,14 @@ export interface ThreadActionReuseExisting {
 /** Per-channel thread action — either start a new thread or reuse an existing one. */
 export type ThreadAction = ThreadActionStartNew | ThreadActionReuseExisting;
 
+
 /** Output produced by the notification decision engine for a given signal. */
 export interface NotificationDecision {
   shouldNotify: boolean;
   selectedChannels: NotificationChannel[];
   reasoningSummary: string;
   renderedCopy: Partial<Record<NotificationChannel, RenderedChannelCopy>>;
-  /** Per-channel thread action. When absent for a channel, defaults to start_new. */
+  /** Per-channel thread actions decided by the model. Absent channels default to start_new. */
   threadActions?: Partial<Record<NotificationChannel, ThreadAction>>;
   deepLinkTarget?: Record<string, unknown>;
   dedupeKey: string;

package/src/permissions/checker.ts

@@ -101,6 +101,19 @@ const WRAPPER_PROGRAMS = new Set([
 // value of -u) as the wrapped program instead of `echo`.
 const ENV_VALUE_FLAGS = new Set(['-u', '--unset', '-C', '--chdir']);
 
+// Bare filenames that `rm` is allowed to delete at Medium risk (instead of
+// High) so workspace-scoped allow rules can approve them without the
+// dangerous `allowHighRisk` flag. Only matches when the args contain no
+// flags and exactly one of these filenames.
+const RM_SAFE_BARE_FILES = new Set(['BOOTSTRAP.md', 'UPDATES.md']);
+
+function isRmOfKnownSafeFile(args: string[]): boolean {
+  if (args.length !== 1) return false;
+  const target = args[0];
+  if (target.startsWith('-') || target.includes('/')) return false;
+  return RM_SAFE_BARE_FILES.has(target);
+}
+
 /**
  * Given a segment whose program is a known wrapper, return the first
  * non-flag argument (i.e. the wrapped program name).  Returns `undefined`
@@ -123,19 +136,6 @@ function getWrappedProgram(seg: { program: string; args: string[] }): string | u
   return undefined;
 }
 
-function isHighRiskRm(args: string[]): boolean {
-  // rm with -r, -rf, -fr, or targeting root/home
-  for (const arg of args) {
-    if (arg.startsWith('-') && (arg.includes('r') || arg.includes('f'))) {
-      return true;
-    }
-    if (arg === '/' || arg === '~' || arg === '$HOME') {
-      return true;
-    }
-  }
-  return false;
-}
-
 function getStringField(input: Record<string, unknown>, ...keys: string[]): string {
   for (const key of keys) {
     const value = input[key];
@@ -398,9 +398,14 @@ async function classifyRiskUncached(toolName: string, input: Record<string, unkn
       if (HIGH_RISK_PROGRAMS.has(prog)) return RiskLevel.High;
 
       if (prog === 'rm') {
-        if (isHighRiskRm(seg.args)) return RiskLevel.High;
-        maxRisk = RiskLevel.Medium;
-        continue;
+        // `rm` of known safe workspace files (no flags, bare filename) is
+        // Medium rather than High so scope-limited allow rules can approve
+        // it without needing allowHighRisk, which would bypass path checks.
+        if (isRmOfKnownSafeFile(seg.args)) {
+          maxRisk = RiskLevel.Medium;
+          continue;
+        }
+        return RiskLevel.High;
       }
 
       if (prog === 'chmod' || prog === 'chown' || prog === 'chgrp'
@@ -417,7 +422,14 @@ async function classifyRiskUncached(toolName: string, input: Record<string, unkn
       }
 
       if (WRAPPER_PROGRAMS.has(prog)) {
+        // `command -v` and `command -V` are read-only lookups (print where
+        // a command lives) — don't escalate to high risk for those.
+        if (prog === 'command' && seg.args.length > 0 && (seg.args[0] === '-v' || seg.args[0] === '-V')) {
+          continue;
+        }
         const wrapped = getWrappedProgram(seg);
+        if (wrapped === 'rm') return RiskLevel.High;
+        if (wrapped && HIGH_RISK_PROGRAMS.has(wrapped)) return RiskLevel.High;
         if (wrapped === 'curl' || wrapped === 'wget') {
           maxRisk = RiskLevel.Medium;
           continue;

package/src/permissions/defaults.ts

@@ -37,6 +37,13 @@ const COMPUTER_USE_TOOLS = [
  * Computed at runtime so paths reflect the configured root directory.
  */
 export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
+  // Some test suites mock getConfig() with partial objects; treat missing
+  // branches as defaults so rule generation remains deterministic.
+  const config = getConfig() as {
+    sandbox?: { enabled?: boolean };
+    skills?: { load?: { extraDirs?: unknown } };
+  };
+
   const hostFileRules = HOST_FILE_TOOLS.map((tool) => ({
     id: `default:ask-${tool}-global`,
     tool,
@@ -50,11 +57,11 @@ export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
   // global default ask rule uses "**" (globstar) instead of a "tool:*" prefix
   // because commands often contain "/" (e.g. "cat /etc/hosts").
   const hostShellRule: DefaultRuleTemplate = {
-    id: 'default:ask-host_bash-global',
+    id: 'default:allow-host_bash-global',
     tool: 'host_bash',
     pattern: '**',
     scope: 'everywhere',
-    decision: 'ask',
+    decision: 'allow',
     priority: 50,
   };
 
@@ -62,7 +69,7 @@ export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
   // them (including high-risk) so the user is never prompted for sandbox work.
   // Only emit this rule when the sandbox is actually enabled; otherwise bash
   // commands execute on the host and must go through normal permission checks.
-  const sandboxEnabled = getConfig().sandbox.enabled;
+  const sandboxEnabled = config.sandbox?.enabled !== false;
   const sandboxShellRule: DefaultRuleTemplate | null = sandboxEnabled
     ? {
         id: 'default:allow-bash-global',
@@ -149,7 +156,10 @@ export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
 
   // Append any user-configured extra skill directories so they get the
   // same default ask rules as managed and bundled dirs.
-  const extraDirs = getConfig().skills.load.extraDirs;
+  const rawExtraDirs = config.skills?.load?.extraDirs;
+  const extraDirs = Array.isArray(rawExtraDirs)
+    ? rawExtraDirs.filter((dir): dir is string => typeof dir === 'string')
+    : [];
   for (let i = 0; i < extraDirs.length; i++) {
     skillDirs.push({ dir: extraDirs[i].replaceAll('\\', '/'), label: `extra-${i}` });
   }

package/src/runtime/guardian-action-followup-executor.ts

@@ -24,8 +24,8 @@ import { getGatewayInternalBaseUrl } from '../config/env.js';
 import { getOrCreateConversation } from '../memory/conversation-key-store.js';
 import {
   finalizeFollowup,
-  getGuardianActionRequest,
   type FollowupAction,
+  getGuardianActionRequest,
   type GuardianActionRequest,
 } from '../memory/guardian-action-store.js';
 import { getLogger } from '../util/logger.js';

package/src/runtime/guardian-action-grant-minter.ts

@@ -0,0 +1,97 @@
+/**
+ * Shared helper for minting scoped approval grants when a guardian-action
+ * request is resolved with tool metadata.
+ *
+ * Used by both the channel inbound path (inbound-message-handler.ts) and
+ * the desktop/IPC path (session-process.ts) to ensure grants are minted
+ * consistently regardless of which channel the guardian answers on.
+ */
+
+import type { GuardianActionRequest } from '../memory/guardian-action-store.js';
+import { createScopedApprovalGrant } from '../memory/scoped-approval-grants.js';
+import { getLogger } from '../util/logger.js';
+import { parseApprovalDecision } from './channel-approval-parser.js';
+
+const log = getLogger('guardian-action-grant-minter');
+
+/** TTL for scoped approval grants minted on guardian-action answer resolution. */
+export const GUARDIAN_ACTION_GRANT_TTL_MS = 5 * 60 * 1000;
+
+/**
+ * Mint a `tool_signature` scoped grant when a guardian-action request is
+ * resolved and the request carries tool metadata (toolName + inputDigest).
+ *
+ * Skips silently when:
+ *   - The resolved request has no toolName/inputDigest (informational consult).
+ *   - The guardian's answer is not an explicit approval (fail-closed).
+ *
+ * Fails silently on error -- grant minting is best-effort and must never
+ * block the guardian-action answer flow.
+ */
+export function tryMintGuardianActionGrant(params: {
+  resolvedRequest: GuardianActionRequest;
+  answerText: string;
+  decisionChannel: string;
+  guardianExternalUserId?: string;
+}): void {
+  const { resolvedRequest, answerText, decisionChannel, guardianExternalUserId } = params;
+
+  // Only mint for requests that carry tool metadata -- informational
+  // ASK_GUARDIAN consults without tool context do not produce grants.
+  if (!resolvedRequest.toolName || !resolvedRequest.inputDigest) {
+    return;
+  }
+
+  // Gate on explicit affirmative guardian decisions (fail-closed).
+  // Only mint when the deterministic parser recognises an approval keyword
+  // ("yes", "approve", "allow", "go ahead", etc.).  Unrecognised text
+  // (e.g. "nope", "don't do that") is treated as non-approval and skipped,
+  // preventing ambiguous answers from producing grants.
+  const decision = parseApprovalDecision(answerText);
+  if (decision?.action !== 'approve_once' && decision?.action !== 'approve_always') {
+    log.info(
+      {
+        event: 'guardian_action_grant_skipped_no_approval',
+        toolName: resolvedRequest.toolName,
+        requestId: resolvedRequest.id,
+        answerText,
+        parsedAction: decision?.action ?? null,
+        decisionChannel,
+      },
+      'Skipped grant minting: guardian answer not classified as explicit approval',
+    );
+    return;
+  }
+
+  try {
+    createScopedApprovalGrant({
+      assistantId: resolvedRequest.assistantId,
+      scopeMode: 'tool_signature',
+      toolName: resolvedRequest.toolName,
+      inputDigest: resolvedRequest.inputDigest,
+      requestChannel: resolvedRequest.sourceChannel,
+      decisionChannel,
+      executionChannel: null,
+      conversationId: resolvedRequest.sourceConversationId,
+      callSessionId: resolvedRequest.callSessionId,
+      guardianExternalUserId: guardianExternalUserId ?? null,
+      expiresAt: new Date(Date.now() + GUARDIAN_ACTION_GRANT_TTL_MS).toISOString(),
+    });
+
+    log.info(
+      {
+        event: 'guardian_action_grant_minted',
+        toolName: resolvedRequest.toolName,
+        requestId: resolvedRequest.id,
+        callSessionId: resolvedRequest.callSessionId,
+        decisionChannel,
+      },
+      'Minted scoped approval grant for guardian-action answer resolution',
+    );
+  } catch (err) {
+    log.error(
+      { err, toolName: resolvedRequest.toolName, requestId: resolvedRequest.id },
+      'Failed to mint scoped approval grant for guardian-action (non-fatal)',
+    );
+  }
+}

package/src/runtime/http-server.ts

@@ -85,7 +85,6 @@ import {
   handleGetAttachmentContent,
   handleUploadAttachment,
 } from './routes/attachment-routes.js';
-import { handleDebug } from './routes/debug-routes.js';
 import {
   handleAnswerCall,
   handleCancelCall,
@@ -116,8 +115,19 @@ import {
   handleSearchConversations,
   handleSendMessage,
 } from './routes/conversation-routes.js';
+import { handleDebug } from './routes/debug-routes.js';
 import { handleSubscribeAssistantEvents } from './routes/events-routes.js';
 import { handleGetIdentity,handleHealth } from './routes/identity-routes.js';
+import {
+  handleBlockMember,
+  handleCreateInvite,
+  handleListInvites,
+  handleListMembers,
+  handleRedeemInvite,
+  handleRevokeInvite,
+  handleRevokeMember,
+  handleUpsertMember,
+} from './routes/ingress-routes.js';
 import {
   handleCancelOutbound,
   handleClearSlackChannelConfig,
@@ -140,16 +150,6 @@ import {
   handlePairingRequest,
   handlePairingStatus,
 } from './routes/pairing-routes.js';
-import {
-  handleBlockMember,
-  handleCreateInvite,
-  handleListInvites,
-  handleListMembers,
-  handleRedeemInvite,
-  handleRevokeInvite,
-  handleRevokeMember,
-  handleUpsertMember,
-} from './routes/ingress-routes.js';
 import { handleAddSecret } from './routes/secret-routes.js';
 
 // Re-export for consumers

package/src/runtime/routes/access-request-decision.ts

@@ -6,8 +6,8 @@
  * instead of resuming an agent loop.
  */
 import {
-  resolveApprovalRequest,
   type GuardianApprovalRequest,
+  resolveApprovalRequest,
 } from '../../memory/channel-guardian-store.js';
 import { getLogger } from '../../util/logger.js';
 import { createOutboundSession } from '../channel-guardian-service.js';

package/src/runtime/routes/debug-routes.ts

@@ -4,13 +4,13 @@
 
 import { statSync } from 'node:fs';
 
-import { getDbPath } from '../../util/platform.js';
+import { getConfig } from '../../config/loader.js';
 import { countConversations } from '../../memory/conversation-store.js';
-import { getMemoryJobCounts } from '../../memory/jobs-store.js';
-import { countSchedules } from '../../schedule/schedule-store.js';
 import { rawAll } from '../../memory/db.js';
-import { getConfig } from '../../config/loader.js';
+import { getMemoryJobCounts } from '../../memory/jobs-store.js';
 import { getProviderDebugStatus } from '../../providers/registry.js';
+import { countSchedules } from '../../schedule/schedule-store.js';
+import { getDbPath } from '../../util/platform.js';
 
 /** Process start time — used to calculate uptime. */
 const startedAt = Date.now();