@vellumai/assistant 0.3.19 → 0.3.20

package/src/tools/skills/load.ts

@@ -1,3 +1,6 @@
+import { isAssistantFeatureFlagEnabled } from '../../config/assistant-feature-flags.js';
+import { getConfig } from '../../config/loader.js';
+import { skillFlagKey } from '../../config/skill-state.js';
 import type { SkillSummary } from '../../config/skills.js';
 import { loadSkillBySelector, loadSkillCatalog } from '../../config/skills.js';
 import { RiskLevel } from '../../permissions/types.js';
@@ -46,6 +49,15 @@ export class SkillLoadTool implements Tool {
 
     const skill = loaded.skill;
 
+    // Assistant feature flag gate: reject loading if the skill's flag is OFF
+    const config = getConfig();
+    if (!isAssistantFeatureFlagEnabled(skillFlagKey(skill.id), config)) {
+      return {
+        content: `Error: skill "${skill.id}" is currently unavailable (disabled by feature flag)`,
+        isError: true,
+      };
+    }
+
     // Load catalog for include validation and child metadata output
     let catalogIndex: Map<string, SkillSummary> | undefined;
     if (skill.includes && skill.includes.length > 0) {
@@ -83,14 +95,15 @@ export class SkillLoadTool implements Tool {
       const childLines: string[] = [];
       for (const childId of skill.includes) {
         const child = catalogIndex.get(childId);
-        if (child) {
-          childLines.push(`  - ${child.id}: ${child.name} — ${child.description} (${child.skillFilePath})`);
-
-          // Load the included skill's body content
-          const childLoaded = loadSkillBySelector(childId);
-          if (childLoaded.skill && childLoaded.skill.body.length > 0) {
-            includedBodies.push(`--- Included Skill: ${childLoaded.skill.name} (${childId}) ---\n${childLoaded.skill.body}`);
-          }
+        if (!child) continue;
+        if (!isAssistantFeatureFlagEnabled(skillFlagKey(childId), config)) continue;
+
+        childLines.push(`  - ${child.id}: ${child.name} — ${child.description} (${child.skillFilePath})`);
+
+        // Load the included skill's body content
+        const childLoaded = loadSkillBySelector(childId);
+        if (childLoaded.skill && childLoaded.skill.body.length > 0) {
+          includedBodies.push(`--- Included Skill: ${childLoaded.skill.name} (${childId}) ---\n${childLoaded.skill.body}`);
         }
       }
       immediateChildrenSection = `Included Skills (immediate):\n${childLines.join('\n')}`;
@@ -113,6 +126,7 @@ export class SkillLoadTool implements Tool {
       for (const childId of skill.includes) {
         const child = catalogIndex.get(childId);
         if (!child) continue;
+        if (!isAssistantFeatureFlagEnabled(skillFlagKey(childId), config)) continue;
         let childHash: string | undefined;
         try {
           childHash = computeSkillVersionHash(child.directoryPath);

package/src/tools/system/avatar-generator.ts

@@ -0,0 +1,119 @@
+import { mkdirSync, writeFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+
+import { getConfig } from '../../config/loader.js';
+import { generateImage, mapGeminiError } from '../../media/gemini-image-service.js';
+import { RiskLevel } from '../../permissions/types.js';
+import type { ToolDefinition } from '../../providers/types.js';
+import { getLogger } from '../../util/logger.js';
+import { getWorkspaceDir } from '../../util/platform.js';
+import type { Tool, ToolContext, ToolExecutionResult } from '../types.js';
+
+const log = getLogger('avatar-generator');
+
+const TOOL_NAME = 'set_avatar';
+
+/** Canonical path where the custom avatar PNG is stored. */
+function getAvatarPath(): string {
+  return join(getWorkspaceDir(), 'data', 'avatar', 'custom-avatar.png');
+}
+
+export const setAvatarTool: Tool = {
+  name: TOOL_NAME,
+  description:
+    'Generate a custom avatar image from a text description. ' +
+    'Saves the result as the assistant\'s avatar.',
+  category: 'system',
+  defaultRiskLevel: RiskLevel.Low,
+
+  getDefinition(): ToolDefinition {
+    return {
+      name: TOOL_NAME,
+      description: this.description,
+      input_schema: {
+        type: 'object',
+        properties: {
+          description: {
+            type: 'string',
+            description:
+              'A text description of the desired avatar appearance, ' +
+              'e.g. "a friendly purple cat with green eyes wearing a tiny hat".',
+          },
+        },
+        required: ['description'],
+      },
+    };
+  },
+
+  async execute(
+    input: Record<string, unknown>,
+    _context: ToolContext,
+  ): Promise<ToolExecutionResult> {
+    const description = input.description;
+    if (typeof description !== 'string' || description.trim() === '') {
+      return {
+        content: 'Error: description is required and must be a non-empty string.',
+        isError: true,
+      };
+    }
+
+    const config = getConfig();
+    const apiKey = config.apiKeys.gemini ?? process.env.GEMINI_API_KEY;
+    if (!apiKey) {
+      return {
+        content: 'No Gemini API key configured. Please add your Gemini API key in Settings → Models & Services, or set the GEMINI_API_KEY environment variable.',
+        isError: true,
+      };
+    }
+
+    try {
+      log.info({ description: description.trim() }, 'Generating avatar via Gemini');
+
+      const prompt =
+        `Create an avatar image based on this description: ${description.trim()}\n\n` +
+        'Style: cute, friendly, work-safe illustration. ' +
+        'Vibrant but soft colors. Simple and recognizable at small sizes (28px). ' +
+        'Circular or rounded composition filling the canvas. ' +
+        'Subtle background color (not white or transparent).';
+
+      const result = await generateImage(apiKey, {
+        prompt,
+        mode: 'generate',
+        model: config.imageGenModel,
+      });
+
+      if (result.images.length === 0) {
+        return {
+          content: 'Error: Gemini returned no image data. Please try again.',
+          isError: true,
+        };
+      }
+
+      const image = result.images[0];
+      const pngBuffer = Buffer.from(image.dataBase64, 'base64');
+
+      const avatarPath = getAvatarPath();
+      const avatarDir = dirname(avatarPath);
+
+      mkdirSync(avatarDir, { recursive: true });
+      writeFileSync(avatarPath, pngBuffer);
+
+      log.info({ avatarPath }, 'Avatar saved successfully');
+
+      // Side-effect hook in tool-side-effects.ts broadcasts avatar_updated to all clients.
+
+      return {
+        content: 'Avatar updated! Your new avatar will appear shortly.',
+        isError: false,
+      };
+    } catch (error) {
+      const message = mapGeminiError(error);
+      log.error({ error: message }, 'Avatar generation failed');
+
+      return {
+        content: `Avatar generation failed: ${message}`,
+        isError: true,
+      };
+    }
+  },
+};

package/src/tools/system/navigate-settings.ts

@@ -0,0 +1,65 @@
+import { RiskLevel } from '../../permissions/types.js';
+import type { ToolDefinition } from '../../providers/types.js';
+import type { Tool, ToolContext, ToolExecutionResult } from '../types.js';
+
+const SETTINGS_TABS = [
+  'Voice',
+  'Connect',
+  'Trust',
+  'Model',
+  'Scheduling',
+  'Parental',
+] as const;
+
+type SettingsTab = (typeof SETTINGS_TABS)[number];
+
+export class NavigateSettingsTabTool implements Tool {
+  name = 'navigate_settings_tab';
+  description =
+    'Open the Vellum settings panel to a specific tab (e.g. Voice, Connect, Trust). ' +
+    'Use this when the user needs to review or adjust settings visually.';
+  category = 'system';
+  defaultRiskLevel = RiskLevel.Low;
+
+  getDefinition(): ToolDefinition {
+    return {
+      name: this.name,
+      description: this.description,
+      input_schema: {
+        type: 'object',
+        properties: {
+          tab: {
+            type: 'string',
+            enum: [...SETTINGS_TABS],
+            description: 'The settings tab to navigate to',
+          },
+        },
+        required: ['tab'],
+      },
+    };
+  }
+
+  async execute(input: Record<string, unknown>, context: ToolContext): Promise<ToolExecutionResult> {
+    const tab = input.tab as string;
+    if (!SETTINGS_TABS.includes(tab as SettingsTab)) {
+      return {
+        content: `Error: unknown tab "${tab}". Valid tabs: ${SETTINGS_TABS.join(', ')}`,
+        isError: true,
+      };
+    }
+
+    if (context.sendToClient) {
+      context.sendToClient({
+        type: 'navigate_settings',
+        tab,
+      });
+    }
+
+    return {
+      content: `Opened settings to the ${tab} tab.`,
+      isError: false,
+    };
+  }
+}
+
+export const navigateSettingsTabTool = new NavigateSettingsTabTool();

package/src/tools/system/open-system-settings.ts

@@ -0,0 +1,75 @@
+import { RiskLevel } from '../../permissions/types.js';
+import type { ToolDefinition } from '../../providers/types.js';
+import type { Tool, ToolContext, ToolExecutionResult } from '../types.js';
+
+const PANES = {
+  microphone: {
+    url: 'x-apple.systempreferences:com.apple.preference.security?Privacy_Microphone',
+    label: 'Microphone privacy',
+    instruction: 'Please toggle Vellum Assistant on.',
+  },
+  speech_recognition: {
+    url: 'x-apple.systempreferences:com.apple.preference.security?Privacy_SpeechRecognition',
+    label: 'Speech Recognition privacy',
+    instruction: 'Please toggle Vellum Assistant on.',
+  },
+} as const;
+
+type PaneName = keyof typeof PANES;
+
+const VALID_PANES = Object.keys(PANES) as PaneName[];
+
+export class OpenSystemSettingsTool implements Tool {
+  name = 'open_system_settings';
+  description =
+    'Open a specific macOS System Settings pane (e.g. Microphone or Speech Recognition privacy). ' +
+    'Use this to guide the user through granting permissions that can only be toggled in System Settings.';
+  category = 'system';
+  defaultRiskLevel = RiskLevel.Low;
+
+  getDefinition(): ToolDefinition {
+    return {
+      name: this.name,
+      description: this.description,
+      input_schema: {
+        type: 'object',
+        properties: {
+          pane: {
+            type: 'string',
+            enum: [...VALID_PANES],
+            description: 'The System Settings pane to open',
+          },
+        },
+        required: ['pane'],
+      },
+    };
+  }
+
+  async execute(input: Record<string, unknown>, context: ToolContext): Promise<ToolExecutionResult> {
+    const pane = input.pane as string;
+    if (!VALID_PANES.includes(pane as PaneName)) {
+      return {
+        content: `Error: unknown pane "${pane}". Valid panes: ${VALID_PANES.join(', ')}`,
+        isError: true,
+      };
+    }
+
+    const meta = PANES[pane as PaneName];
+
+    // Send open_url IPC to the client — the x-apple.systempreferences: scheme
+    // opens System Settings directly without a browser confirmation dialog.
+    if (context.sendToClient) {
+      context.sendToClient({
+        type: 'open_url',
+        url: meta.url,
+      });
+    }
+
+    return {
+      content: `Opened System Settings to ${meta.label}. ${meta.instruction}`,
+      isError: false,
+    };
+  }
+}
+
+export const openSystemSettingsTool = new OpenSystemSettingsTool();

package/src/tools/system/voice-config.ts

@@ -3,60 +3,149 @@ import { RiskLevel } from '../../permissions/types.js';
 import type { ToolDefinition } from '../../providers/types.js';
 import type { Tool, ToolContext, ToolExecutionResult } from '../types.js';
 
-const TOOL_NAME = 'voice_config_update';
+/**
+ * Valid voice config settings and their UserDefaults key mappings.
+ */
+const VOICE_SETTINGS = {
+  activation_key: { userDefaultsKey: 'pttActivationKey', type: 'string' as const },
+  wake_word_enabled: { userDefaultsKey: 'wakeWordEnabled', type: 'boolean' as const },
+  wake_word_keyword: { userDefaultsKey: 'wakeWordKeyword', type: 'string' as const },
+  wake_word_timeout: { userDefaultsKey: 'wakeWordTimeoutSeconds', type: 'number' as const },
+} as const;
 
-export const voiceConfigUpdateTool: Tool = {
-  name: TOOL_NAME,
-  description:
-    'Change the push-to-talk activation key. Valid keys: fn (Fn/Globe key), ctrl (Control key), fn_shift (Fn+Shift), none (disable PTT).',
-  category: 'system',
-  defaultRiskLevel: RiskLevel.Low,
+type VoiceSettingName = keyof typeof VOICE_SETTINGS;
+
+const VALID_SETTINGS = Object.keys(VOICE_SETTINGS) as VoiceSettingName[];
+
+const VALID_TIMEOUTS = [5, 10, 15, 30, 60];
+
+function validateSetting(setting: string, value: unknown): { ok: true; coerced: string | boolean | number } | { ok: false; error: string } {
+  if (!VALID_SETTINGS.includes(setting as VoiceSettingName)) {
+    return { ok: false, error: `Unknown setting "${setting}". Valid settings: ${VALID_SETTINGS.join(', ')}` };
+  }
+
+  switch (setting) {
+    case 'activation_key': {
+      if (typeof value !== 'string' || value.length === 0) {
+        return { ok: false, error: 'activation_key must be a non-empty string' };
+      }
+      // Use the canonical normalizer from config-voice handler
+      const result = normalizeActivationKey(value);
+      if (!result.ok) {
+        return { ok: false, error: result.reason };
+      }
+      return { ok: true, coerced: result.value };
+    }
+    case 'wake_word_enabled': {
+      if (typeof value === 'boolean') return { ok: true, coerced: value };
+      if (value === 'true') return { ok: true, coerced: true };
+      if (value === 'false') return { ok: true, coerced: false };
+      return { ok: false, error: 'wake_word_enabled must be a boolean (or "true"/"false" string)' };
+    }
+    case 'wake_word_keyword': {
+      if (typeof value !== 'string' || value.trim().length === 0) {
+        return { ok: false, error: 'wake_word_keyword must be a non-empty string' };
+      }
+      return { ok: true, coerced: value.trim() };
+    }
+    case 'wake_word_timeout': {
+      const num = typeof value === 'number' ? value : Number(value);
+      if (Number.isNaN(num) || !VALID_TIMEOUTS.includes(num)) {
+        return { ok: false, error: `wake_word_timeout must be one of: ${VALID_TIMEOUTS.join(', ')}` };
+      }
+      return { ok: true, coerced: num };
+    }
+    default:
+      return { ok: false, error: `Unknown setting "${setting}"` };
+  }
+}
+
+const FRIENDLY_NAMES: Record<VoiceSettingName, string> = {
+  activation_key: 'PTT activation key',
+  wake_word_enabled: 'Wake word',
+  wake_word_keyword: 'Wake word keyword',
+  wake_word_timeout: 'Wake word timeout',
+};
+
+export class VoiceConfigUpdateTool implements Tool {
+  name = 'voice_config_update';
+  description =
+    'Update a voice configuration setting (PTT activation key, wake word enabled/keyword/timeout). ' +
+    'Changes take effect immediately via IPC broadcast to the desktop client.';
+  category = 'system';
+  defaultRiskLevel = RiskLevel.Low;
 
   getDefinition(): ToolDefinition {
     return {
-      name: TOOL_NAME,
+      name: this.name,
       description: this.description,
       input_schema: {
         type: 'object',
         properties: {
+          setting: {
+            type: 'string',
+            enum: [...VALID_SETTINGS],
+            description: 'The voice setting to change',
+          },
+          value: {
+            description: 'The new value for the setting (type depends on setting)',
+          },
+          // Backward compat: legacy schema used activation_key directly
           activation_key: {
             type: 'string',
-            description:
-              'The activation key to set. Accepts enum values (fn, ctrl, fn_shift, none) or natural language (e.g. "Control", "Fn+Shift", "Off").',
+            description: 'Deprecated — use setting: "activation_key" with value instead',
           },
         },
-        required: ['activation_key'],
       },
     };
-  },
-
-  async execute(
-    input: Record<string, unknown>,
-    _context: ToolContext,
-  ): Promise<ToolExecutionResult> {
-    const rawKey = input.activation_key;
-    if (typeof rawKey !== 'string' || rawKey.trim() === '') {
+  }
+
+  async execute(input: Record<string, unknown>, context: ToolContext): Promise<ToolExecutionResult> {
+    // Backward compat: if activation_key is provided without setting/value, treat as setting: "activation_key"
+    let setting = input.setting as string | undefined;
+    let value = input.value;
+
+    if (!setting && typeof input.activation_key === 'string') {
+      setting = 'activation_key';
+      value = input.activation_key;
+    }
+
+    if (!setting) {
+      return {
+        content: `Error: "setting" is required. Valid settings: ${VALID_SETTINGS.join(', ')}`,
+        isError: true,
+      };
+    }
+
+    if (value === undefined) {
       return {
-        content: 'Error: activation_key is required and must be a non-empty string.',
+        content: `Error: "value" is required for setting "${setting}".`,
         isError: true,
       };
     }
 
-    const result = normalizeActivationKey(rawKey);
-    if (!result.ok) {
-      return { content: result.reason, isError: true };
+    const validation = validateSetting(setting, value);
+    if (!validation.ok) {
+      return { content: `Error: ${validation.error}`, isError: true };
     }
 
-    const labels: Record<string, string> = {
-      fn: 'Fn/Globe key',
-      ctrl: 'Control key',
-      fn_shift: 'Fn+Shift',
-      none: 'disabled',
-    };
+    const meta = VOICE_SETTINGS[setting as VoiceSettingName];
+    const friendlyName = FRIENDLY_NAMES[setting as VoiceSettingName];
+
+    // Send client_settings_update IPC to write to UserDefaults
+    if (context.sendToClient) {
+      context.sendToClient({
+        type: 'client_settings_update',
+        key: meta.userDefaultsKey,
+        value: validation.coerced,
+      });
+    }
 
     return {
-      content: `Push-to-talk activation key updated to ${labels[result.value]} (${result.value}).`,
+      content: `${friendlyName} updated to ${JSON.stringify(validation.coerced)}. The change has been broadcast to the desktop client.`,
       isError: false,
     };
-  },
-};
+  }
+}
+
+export const voiceConfigUpdateTool = new VoiceConfigUpdateTool();

package/src/tools/terminal/backends/native.ts

@@ -6,24 +6,31 @@ import { join } from 'node:path';
 import { ToolError } from '../../../util/errors.js';
 import { getLogger } from '../../../util/logger.js';
 import { isLinux,isMacOS } from '../../../util/platform.js';
-import type { SandboxBackend, SandboxResult } from './types.js';
+import type { SandboxBackend, SandboxResult, WrapOptions } from './types.js';
 
 const log = getLogger('sandbox');
 
 const HASH_DISPLAY_LENGTH = 12;
 
 /**
- * macOS sandbox-exec profile that restricts shell commands:
+ * Build a macOS sandbox-exec SBPL profile.
+ *
+ * The profile restricts shell commands:
  * - Denies all by default
  * - Allows read access to most of the filesystem (needed for toolchains)
  * - Allows write access only to the working directory and temp dirs
- * - Blocks outbound network access
+ * - Blocks outbound network access (unless proxied)
  * - Blocks process debugging (ptrace)
  *
- * The WORKING_DIR placeholder is replaced at runtime with the actual
- * working directory path.
+ * When `allowNetwork` is true the `(deny network*)` rule is replaced with
+ * `(allow network*)` so the process can reach the local credential proxy.
  */
-const SANDBOX_PROFILE = `
+function buildSandboxProfile(allowNetwork: boolean): string {
+  const networkRule = allowNetwork
+    ? ';; Allow network access (proxied mode — needed to reach the credential proxy)\n(allow network*)'
+    : ';; Block network access\n(deny network*)';
+
+  return `
 (version 1)
 (deny default)
 
@@ -54,12 +61,12 @@ const SANDBOX_PROFILE = `
 ;; Allow IOKit (needed for some system calls)
 (allow iokit-open)
 
-;; Block network access
-(deny network*)
+${networkRule}
 
 ;; Block process debugging
 (deny process-info-pidinfo (target others))
 `.trim();
+}
 
 /**
  * Escape a path for safe embedding inside an SBPL quoted string.
@@ -83,15 +90,18 @@ function escapeSBPL(path: string): string {
  * a hash of the path) to avoid race conditions when concurrent commands
  * use different working directories.
  */
-function getProfilePath(workingDir: string): string {
+function getProfilePath(workingDir: string, allowNetwork: boolean): string {
   const dir = join(process.env.HOME ?? '/tmp', '.vellum');
   if (!existsSync(dir)) {
     mkdirSync(dir, { recursive: true });
   }
-  const hash = createHash('sha256').update(workingDir).digest('hex').slice(0, HASH_DISPLAY_LENGTH);
+  // Include the network flag in the hash so proxied and non-proxied profiles
+  // for the same directory don't collide.
+  const hashInput = allowNetwork ? `${workingDir}:proxied` : workingDir;
+  const hash = createHash('sha256').update(hashInput).digest('hex').slice(0, HASH_DISPLAY_LENGTH);
   const path = join(dir, `sandbox-profile-${hash}.sb`);
 
-  const profile = SANDBOX_PROFILE.replace(/__WORKING_DIR__/g, () => escapeSBPL(workingDir));
+  const profile = buildSandboxProfile(allowNetwork).replace(/__WORKING_DIR__/g, () => escapeSBPL(workingDir));
   writeFileSync(path, profile + '\n');
   return path;
 }
@@ -137,20 +147,29 @@ function isBwrapAvailable(): boolean {
  * - Network access blocked (--unshare-net)
  * - PID namespace isolated (--unshare-pid)
  */
-function buildBwrapArgs(workingDir: string, command: string): string[] {
-  return [
+function buildBwrapArgs(workingDir: string, command: string, allowNetwork: boolean): string[] {
+  const args = [
     // Filesystem: read-only root, writable working dir and temp
     '--ro-bind', '/', '/',
     '--bind', workingDir, workingDir,
     '--bind', '/tmp', '/tmp',
     '--dev', '/dev',
     '--proc', '/proc',
-    // Isolation
-    '--unshare-net',
+  ];
+
+  // Only isolate the network namespace when network access is not needed.
+  // In proxied mode the process must be able to reach 127.0.0.1:<proxy-port>.
+  if (!allowNetwork) {
+    args.push('--unshare-net');
+  }
+
+  args.push(
     '--unshare-pid',
     // Run bash inside the sandbox
     'bash', '-c', '--', command,
-  ];
+  );
+
+  return args;
 }
 
 /**
@@ -158,9 +177,11 @@ function buildBwrapArgs(workingDir: string, command: string): string[] {
  * macOS sandbox-exec (SBPL profiles) and Linux bwrap (bubblewrap).
  */
 export class NativeBackend implements SandboxBackend {
-  wrap(command: string, workingDir: string, _options?: import('./types.js').WrapOptions): SandboxResult {
+  wrap(command: string, workingDir: string, options?: WrapOptions): SandboxResult {
+    const allowNetwork = options?.networkMode === 'proxied';
+
     if (isMacOS()) {
-      const profile = getProfilePath(workingDir);
+      const profile = getProfilePath(workingDir, allowNetwork);
       return {
         command: 'sandbox-exec',
         args: ['-f', profile, 'bash', '-c', '--', command],
@@ -176,7 +197,7 @@ export class NativeBackend implements SandboxBackend {
       }
       return {
         command: 'bwrap',
-        args: buildBwrapArgs(workingDir, command),
+        args: buildBwrapArgs(workingDir, command, allowNetwork),
         sandboxed: true,
       };
     }

package/src/tools/terminal/backends/types.ts

@@ -10,15 +10,15 @@ export interface SandboxResult {
 export interface WrapOptions {
   /**
    * Network mode for this invocation.
-   * - 'off': no container network (--network=none). This is the default.
-   * - 'proxied': bridge network so the container can reach a host proxy (--network=bridge).
+   * - 'off': network access is blocked (sandbox-exec deny network / bwrap --unshare-net). This is the default.
+   * - 'proxied': network access is allowed so the process can reach the local credential proxy.
    */
   networkMode?: 'off' | 'proxied';
 }
 
 /**
  * A sandbox backend knows how to wrap a shell command so it runs
- * inside an OS-level sandbox (macOS sandbox-exec, Linux bwrap, Docker, etc.).
+ * inside an OS-level sandbox (macOS sandbox-exec, Linux bwrap, etc.).
  */
 export interface SandboxBackend {
   /** Wrap a command for sandboxed execution in the given working directory. */

package/src/tools/terminal/parser.ts

@@ -109,7 +109,7 @@ const initGuard = new PromiseGuard<void>();
  * don't exist — fall back to:
  *   1. `../Resources/<file>` (macOS .app bundle layout)
  *   2. Next to the compiled binary (process.execPath)
- * This matches the pattern used by docker.ts for Dockerfile.sandbox.
+ * This matches the pattern used for compiled Bun binary asset resolution.
  */
 function findWasmPath(pkg: string, file: string): string {
   const dir = import.meta.dirname ?? __dirname;