@vellumai/assistant 0.3.19 → 0.3.21

package/src/tools/system/voice-config.ts

@@ -3,60 +3,149 @@ import { RiskLevel } from '../../permissions/types.js';
 import type { ToolDefinition } from '../../providers/types.js';
 import type { Tool, ToolContext, ToolExecutionResult } from '../types.js';
 
-const TOOL_NAME = 'voice_config_update';
+/**
+ * Valid voice config settings and their UserDefaults key mappings.
+ */
+const VOICE_SETTINGS = {
+  activation_key: { userDefaultsKey: 'pttActivationKey', type: 'string' as const },
+  wake_word_enabled: { userDefaultsKey: 'wakeWordEnabled', type: 'boolean' as const },
+  wake_word_keyword: { userDefaultsKey: 'wakeWordKeyword', type: 'string' as const },
+  wake_word_timeout: { userDefaultsKey: 'wakeWordTimeoutSeconds', type: 'number' as const },
+} as const;
 
-export const voiceConfigUpdateTool: Tool = {
-  name: TOOL_NAME,
-  description:
-    'Change the push-to-talk activation key. Valid keys: fn (Fn/Globe key), ctrl (Control key), fn_shift (Fn+Shift), none (disable PTT).',
-  category: 'system',
-  defaultRiskLevel: RiskLevel.Low,
+type VoiceSettingName = keyof typeof VOICE_SETTINGS;
+
+const VALID_SETTINGS = Object.keys(VOICE_SETTINGS) as VoiceSettingName[];
+
+const VALID_TIMEOUTS = [5, 10, 15, 30, 60];
+
+function validateSetting(setting: string, value: unknown): { ok: true; coerced: string | boolean | number } | { ok: false; error: string } {
+  if (!VALID_SETTINGS.includes(setting as VoiceSettingName)) {
+    return { ok: false, error: `Unknown setting "${setting}". Valid settings: ${VALID_SETTINGS.join(', ')}` };
+  }
+
+  switch (setting) {
+    case 'activation_key': {
+      if (typeof value !== 'string' || value.length === 0) {
+        return { ok: false, error: 'activation_key must be a non-empty string' };
+      }
+      // Use the canonical normalizer from config-voice handler
+      const result = normalizeActivationKey(value);
+      if (!result.ok) {
+        return { ok: false, error: result.reason };
+      }
+      return { ok: true, coerced: result.value };
+    }
+    case 'wake_word_enabled': {
+      if (typeof value === 'boolean') return { ok: true, coerced: value };
+      if (value === 'true') return { ok: true, coerced: true };
+      if (value === 'false') return { ok: true, coerced: false };
+      return { ok: false, error: 'wake_word_enabled must be a boolean (or "true"/"false" string)' };
+    }
+    case 'wake_word_keyword': {
+      if (typeof value !== 'string' || value.trim().length === 0) {
+        return { ok: false, error: 'wake_word_keyword must be a non-empty string' };
+      }
+      return { ok: true, coerced: value.trim() };
+    }
+    case 'wake_word_timeout': {
+      const num = typeof value === 'number' ? value : Number(value);
+      if (Number.isNaN(num) || !VALID_TIMEOUTS.includes(num)) {
+        return { ok: false, error: `wake_word_timeout must be one of: ${VALID_TIMEOUTS.join(', ')}` };
+      }
+      return { ok: true, coerced: num };
+    }
+    default:
+      return { ok: false, error: `Unknown setting "${setting}"` };
+  }
+}
+
+const FRIENDLY_NAMES: Record<VoiceSettingName, string> = {
+  activation_key: 'PTT activation key',
+  wake_word_enabled: 'Wake word',
+  wake_word_keyword: 'Wake word keyword',
+  wake_word_timeout: 'Wake word timeout',
+};
+
+export class VoiceConfigUpdateTool implements Tool {
+  name = 'voice_config_update';
+  description =
+    'Update a voice configuration setting (PTT activation key, wake word enabled/keyword/timeout). ' +
+    'Changes take effect immediately via IPC broadcast to the desktop client.';
+  category = 'system';
+  defaultRiskLevel = RiskLevel.Low;
 
   getDefinition(): ToolDefinition {
     return {
-      name: TOOL_NAME,
+      name: this.name,
       description: this.description,
       input_schema: {
         type: 'object',
         properties: {
+          setting: {
+            type: 'string',
+            enum: [...VALID_SETTINGS],
+            description: 'The voice setting to change',
+          },
+          value: {
+            description: 'The new value for the setting (type depends on setting)',
+          },
+          // Backward compat: legacy schema used activation_key directly
           activation_key: {
             type: 'string',
-            description:
-              'The activation key to set. Accepts enum values (fn, ctrl, fn_shift, none) or natural language (e.g. "Control", "Fn+Shift", "Off").',
+            description: 'Deprecated — use setting: "activation_key" with value instead',
           },
         },
-        required: ['activation_key'],
       },
     };
-  },
-
-  async execute(
-    input: Record<string, unknown>,
-    _context: ToolContext,
-  ): Promise<ToolExecutionResult> {
-    const rawKey = input.activation_key;
-    if (typeof rawKey !== 'string' || rawKey.trim() === '') {
+  }
+
+  async execute(input: Record<string, unknown>, context: ToolContext): Promise<ToolExecutionResult> {
+    // Backward compat: if activation_key is provided without setting/value, treat as setting: "activation_key"
+    let setting = input.setting as string | undefined;
+    let value = input.value;
+
+    if (!setting && typeof input.activation_key === 'string') {
+      setting = 'activation_key';
+      value = input.activation_key;
+    }
+
+    if (!setting) {
+      return {
+        content: `Error: "setting" is required. Valid settings: ${VALID_SETTINGS.join(', ')}`,
+        isError: true,
+      };
+    }
+
+    if (value === undefined) {
       return {
-        content: 'Error: activation_key is required and must be a non-empty string.',
+        content: `Error: "value" is required for setting "${setting}".`,
         isError: true,
       };
     }
 
-    const result = normalizeActivationKey(rawKey);
-    if (!result.ok) {
-      return { content: result.reason, isError: true };
+    const validation = validateSetting(setting, value);
+    if (!validation.ok) {
+      return { content: `Error: ${validation.error}`, isError: true };
     }
 
-    const labels: Record<string, string> = {
-      fn: 'Fn/Globe key',
-      ctrl: 'Control key',
-      fn_shift: 'Fn+Shift',
-      none: 'disabled',
-    };
+    const meta = VOICE_SETTINGS[setting as VoiceSettingName];
+    const friendlyName = FRIENDLY_NAMES[setting as VoiceSettingName];
+
+    // Send client_settings_update IPC to write to UserDefaults
+    if (context.sendToClient) {
+      context.sendToClient({
+        type: 'client_settings_update',
+        key: meta.userDefaultsKey,
+        value: validation.coerced,
+      });
+    }
 
     return {
-      content: `Push-to-talk activation key updated to ${labels[result.value]} (${result.value}).`,
+      content: `${friendlyName} updated to ${JSON.stringify(validation.coerced)}. The change has been broadcast to the desktop client.`,
       isError: false,
     };
-  },
-};
+  }
+}
+
+export const voiceConfigUpdateTool = new VoiceConfigUpdateTool();

package/src/tools/terminal/backends/native.ts

@@ -6,24 +6,31 @@ import { join } from 'node:path';
 import { ToolError } from '../../../util/errors.js';
 import { getLogger } from '../../../util/logger.js';
 import { isLinux,isMacOS } from '../../../util/platform.js';
-import type { SandboxBackend, SandboxResult } from './types.js';
+import type { SandboxBackend, SandboxResult, WrapOptions } from './types.js';
 
 const log = getLogger('sandbox');
 
 const HASH_DISPLAY_LENGTH = 12;
 
 /**
- * macOS sandbox-exec profile that restricts shell commands:
+ * Build a macOS sandbox-exec SBPL profile.
+ *
+ * The profile restricts shell commands:
  * - Denies all by default
  * - Allows read access to most of the filesystem (needed for toolchains)
  * - Allows write access only to the working directory and temp dirs
- * - Blocks outbound network access
+ * - Blocks outbound network access (unless proxied)
  * - Blocks process debugging (ptrace)
  *
- * The WORKING_DIR placeholder is replaced at runtime with the actual
- * working directory path.
+ * When `allowNetwork` is true the `(deny network*)` rule is replaced with
+ * `(allow network*)` so the process can reach the local credential proxy.
  */
-const SANDBOX_PROFILE = `
+function buildSandboxProfile(allowNetwork: boolean): string {
+  const networkRule = allowNetwork
+    ? ';; Allow network access (proxied mode — needed to reach the credential proxy)\n(allow network*)'
+    : ';; Block network access\n(deny network*)';
+
+  return `
 (version 1)
 (deny default)
 
@@ -54,12 +61,12 @@ const SANDBOX_PROFILE = `
 ;; Allow IOKit (needed for some system calls)
 (allow iokit-open)
 
-;; Block network access
-(deny network*)
+${networkRule}
 
 ;; Block process debugging
 (deny process-info-pidinfo (target others))
 `.trim();
+}
 
 /**
  * Escape a path for safe embedding inside an SBPL quoted string.
@@ -83,15 +90,18 @@ function escapeSBPL(path: string): string {
  * a hash of the path) to avoid race conditions when concurrent commands
  * use different working directories.
  */
-function getProfilePath(workingDir: string): string {
+function getProfilePath(workingDir: string, allowNetwork: boolean): string {
   const dir = join(process.env.HOME ?? '/tmp', '.vellum');
   if (!existsSync(dir)) {
     mkdirSync(dir, { recursive: true });
   }
-  const hash = createHash('sha256').update(workingDir).digest('hex').slice(0, HASH_DISPLAY_LENGTH);
+  // Include the network flag in the hash so proxied and non-proxied profiles
+  // for the same directory don't collide.
+  const hashInput = allowNetwork ? `${workingDir}:proxied` : workingDir;
+  const hash = createHash('sha256').update(hashInput).digest('hex').slice(0, HASH_DISPLAY_LENGTH);
   const path = join(dir, `sandbox-profile-${hash}.sb`);
 
-  const profile = SANDBOX_PROFILE.replace(/__WORKING_DIR__/g, () => escapeSBPL(workingDir));
+  const profile = buildSandboxProfile(allowNetwork).replace(/__WORKING_DIR__/g, () => escapeSBPL(workingDir));
   writeFileSync(path, profile + '\n');
   return path;
 }
@@ -137,20 +147,29 @@ function isBwrapAvailable(): boolean {
  * - Network access blocked (--unshare-net)
  * - PID namespace isolated (--unshare-pid)
  */
-function buildBwrapArgs(workingDir: string, command: string): string[] {
-  return [
+function buildBwrapArgs(workingDir: string, command: string, allowNetwork: boolean): string[] {
+  const args = [
     // Filesystem: read-only root, writable working dir and temp
     '--ro-bind', '/', '/',
     '--bind', workingDir, workingDir,
     '--bind', '/tmp', '/tmp',
     '--dev', '/dev',
     '--proc', '/proc',
-    // Isolation
-    '--unshare-net',
+  ];
+
+  // Only isolate the network namespace when network access is not needed.
+  // In proxied mode the process must be able to reach 127.0.0.1:<proxy-port>.
+  if (!allowNetwork) {
+    args.push('--unshare-net');
+  }
+
+  args.push(
     '--unshare-pid',
     // Run bash inside the sandbox
     'bash', '-c', '--', command,
-  ];
+  );
+
+  return args;
 }
 
 /**
@@ -158,9 +177,11 @@ function buildBwrapArgs(workingDir: string, command: string): string[] {
  * macOS sandbox-exec (SBPL profiles) and Linux bwrap (bubblewrap).
  */
 export class NativeBackend implements SandboxBackend {
-  wrap(command: string, workingDir: string, _options?: import('./types.js').WrapOptions): SandboxResult {
+  wrap(command: string, workingDir: string, options?: WrapOptions): SandboxResult {
+    const allowNetwork = options?.networkMode === 'proxied';
+
     if (isMacOS()) {
-      const profile = getProfilePath(workingDir);
+      const profile = getProfilePath(workingDir, allowNetwork);
       return {
         command: 'sandbox-exec',
         args: ['-f', profile, 'bash', '-c', '--', command],
@@ -176,7 +197,7 @@ export class NativeBackend implements SandboxBackend {
       }
       return {
         command: 'bwrap',
-        args: buildBwrapArgs(workingDir, command),
+        args: buildBwrapArgs(workingDir, command, allowNetwork),
         sandboxed: true,
       };
     }

package/src/tools/terminal/backends/types.ts

@@ -10,15 +10,15 @@ export interface SandboxResult {
 export interface WrapOptions {
   /**
    * Network mode for this invocation.
-   * - 'off': no container network (--network=none). This is the default.
-   * - 'proxied': bridge network so the container can reach a host proxy (--network=bridge).
+   * - 'off': network access is blocked (sandbox-exec deny network / bwrap --unshare-net). This is the default.
+   * - 'proxied': network access is allowed so the process can reach the local credential proxy.
    */
   networkMode?: 'off' | 'proxied';
 }
 
 /**
  * A sandbox backend knows how to wrap a shell command so it runs
- * inside an OS-level sandbox (macOS sandbox-exec, Linux bwrap, Docker, etc.).
+ * inside an OS-level sandbox (macOS sandbox-exec, Linux bwrap, etc.).
  */
 export interface SandboxBackend {
   /** Wrap a command for sandboxed execution in the given working directory. */

package/src/tools/terminal/parser.ts

@@ -109,7 +109,7 @@ const initGuard = new PromiseGuard<void>();
  * don't exist — fall back to:
  *   1. `../Resources/<file>` (macOS .app bundle layout)
  *   2. Next to the compiled binary (process.execPath)
- * This matches the pattern used by docker.ts for Dockerfile.sandbox.
+ * This matches the pattern used for compiled Bun binary asset resolution.
  */
 function findWasmPath(pkg: string, file: string): string {
   const dir = import.meta.dirname ?? __dirname;

package/src/tools/terminal/sandbox-diagnostics.ts

@@ -1,9 +1,8 @@
-import { execFileSync,execSync } from 'node:child_process';
+import { execSync } from 'node:child_process';
 
 import { getConfig } from '../../config/loader.js';
 import type { SandboxConfig } from '../../config/schema.js';
-import { getSandboxWorkingDir,isLinux, isMacOS } from '../../util/platform.js';
-import { DEFAULT_SANDBOX_IMAGE } from './backends/docker.js';
+import { isLinux, isMacOS } from '../../util/platform.js';
 
 export interface SandboxCheckResult {
   label: string;
@@ -14,73 +13,12 @@ export interface SandboxCheckResult {
 export interface SandboxDiagnostics {
   config: {
     enabled: boolean;
-    backend: string;
-    dockerImage: string;
   };
   /** Why the active backend was selected (config vs platform default). */
   activeBackendReason: string;
   checks: SandboxCheckResult[];
 }
 
-function checkDockerCli(): SandboxCheckResult {
-  try {
-    const out = execSync('docker --version', { stdio: 'pipe', timeout: 5000, encoding: 'utf-8' }).trim();
-    return { label: 'Docker CLI installed', ok: true, detail: out };
-  } catch {
-    return { label: 'Docker CLI installed', ok: false, detail: 'docker not found in PATH' };
-  }
-}
-
-function checkDockerDaemon(): SandboxCheckResult {
-  try {
-    execSync('docker info', { stdio: 'pipe', timeout: 10000 });
-    return { label: 'Docker daemon running', ok: true };
-  } catch {
-    return { label: 'Docker daemon running', ok: false, detail: 'daemon not reachable — start Docker Desktop or run "sudo systemctl start docker"' };
-  }
-}
-
-function checkDockerImage(image: string): SandboxCheckResult {
-  try {
-    execFileSync('docker', ['image', 'inspect', image], { stdio: 'pipe', timeout: 10000 });
-    return { label: `Docker image available (${image})`, ok: true };
-  } catch {
-    // The default sandbox image is built locally from Dockerfile.sandbox — docker pull won't work.
-    const remediation = image === DEFAULT_SANDBOX_IMAGE
-      ? 'build with: docker build --no-cache -t vellum-sandbox:latest -f assistant/Dockerfile.sandbox assistant'
-      : `pull with: docker pull ${image}`;
-    return { label: `Docker image available (${image})`, ok: false, detail: remediation };
-  }
-}
-
-function checkDockerMountProbe(image: string): SandboxCheckResult {
-  // Use the same sandbox path and writable-mount probe that the runtime
-  // preflight uses (checkMountProbe in docker.ts) so doctor validates
-  // exactly what runtime enforces.
-  const sandboxRoot = getSandboxWorkingDir();
-  try {
-    execFileSync(
-      'docker',
-      [
-        'run', '--rm',
-        '--mount', `type=bind,src=${sandboxRoot},dst=/workspace`,
-        image, 'test', '-w', '/workspace',
-      ],
-      { stdio: 'pipe', timeout: 15000 },
-    );
-    return { label: 'Docker mount writable', ok: true };
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : 'unknown error';
-    return {
-      label: 'Docker mount writable',
-      ok: false,
-      detail: 'Cannot bind-mount sandbox root or /workspace is not writable. ' +
-        'If using Docker Desktop, enable file sharing for this path in Settings > Resources > File Sharing. ' +
-        `(${msg})`,
-    };
-  }
-}
-
 function checkNativeBackend(): SandboxCheckResult {
   if (isMacOS()) {
     try {
@@ -105,15 +43,12 @@ function getActiveBackendReason(sandboxConfig: SandboxConfig): string {
   if (!sandboxConfig.enabled) {
     return 'Sandbox is disabled in configuration';
   }
-  if (sandboxConfig.backend === 'docker') {
-    return 'Docker backend selected in configuration (sandbox.backend = "docker")';
-  }
-  return 'Native backend selected in configuration (sandbox.backend = "native")';
+  return 'Native backend selected';
 }
 
 /**
- * Run sandbox backend diagnostics. Checks Docker availability,
- * native backend availability, and reports current configuration.
+ * Run sandbox backend diagnostics. Checks native backend availability
+ * and reports current configuration.
  */
 export function runSandboxDiagnostics(): SandboxDiagnostics {
   const config = getConfig();
@@ -121,28 +56,12 @@ export function runSandboxDiagnostics(): SandboxDiagnostics {
 
   const checks: SandboxCheckResult[] = [];
 
-  // Always check native backend availability as a diagnostic signal
+  // Check native backend availability
   checks.push(checkNativeBackend());
 
-  // Docker checks: CLI, daemon, image, container execution
-  const cliResult = checkDockerCli();
-  checks.push(cliResult);
-
-  if (cliResult.ok) {
-    const daemonResult = checkDockerDaemon();
-    checks.push(daemonResult);
-
-    if (daemonResult.ok) {
-      checks.push(checkDockerImage(sandboxConfig.docker.image));
-      checks.push(checkDockerMountProbe(sandboxConfig.docker.image));
-    }
-  }
-
   return {
     config: {
       enabled: sandboxConfig.enabled,
-      backend: sandboxConfig.backend,
-      dockerImage: sandboxConfig.docker.image,
     },
     activeBackendReason: getActiveBackendReason(sandboxConfig),
     checks,

package/src/tools/terminal/sandbox.ts

@@ -1,6 +1,4 @@
 import type { SandboxConfig } from '../../config/schema.js';
-import { getSandboxWorkingDir } from '../../util/platform.js';
-import { DockerBackend } from './backends/docker.js';
 import { NativeBackend } from './backends/native.js';
 import type { SandboxResult, WrapOptions } from './backends/types.js';
 
@@ -12,7 +10,7 @@ const nativeBackend = new NativeBackend();
  * Wrap a shell command for sandboxed execution.
  *
  * When sandboxing is disabled, returns a plain bash invocation.
- * When enabled, delegates to the configured backend (native or docker).
+ * When enabled, delegates to the native backend.
  * Fails closed if the backend cannot be applied.
  *
  * @param options  Per-invocation overrides (e.g. networkMode for proxied bash).
@@ -31,14 +29,5 @@ export function wrapCommand(
     };
   }
 
-  if (config.backend === 'docker') {
-    // Always mount the canonical sandbox fs root, not whatever workingDir
-    // happens to be. workingDir may be a subdirectory; the mount source
-    // must be the fixed root so the entire sandbox filesystem is available.
-    const sandboxRoot = getSandboxWorkingDir();
-    const backend = new DockerBackend(sandboxRoot, config.docker);
-    return backend.wrap(command, workingDir, options);
-  }
-
   return nativeBackend.wrap(command, workingDir, options);
 }

package/src/tools/terminal/shell.ts

@@ -1,5 +1,4 @@
-import { execSync,spawn } from 'node:child_process';
-import { platform } from 'node:os';
+import { spawn } from 'node:child_process';
 
 import { getConfig } from '../../config/loader.js';
 import { RiskLevel } from '../../permissions/types.js';
@@ -21,32 +20,6 @@ import { wrapCommand } from './sandbox.js';
 
 const log = getLogger('shell-tool');
 
-/**
- * Returns the host address to bind the proxy to when Docker sandbox is active.
- * On macOS, Docker Desktop routes host.docker.internal through the VM to
- * 127.0.0.1, so no bind change is needed. On Linux, we need to bind to the
- * Docker bridge gateway IP so containers can reach the proxy.
- */
-function getDockerProxyHost(): string {
-  if (platform() !== 'linux') return '127.0.0.1';
-
-  try {
-    // Docker bridge gateway is the default route from inside docker0 network.
-    // `ip -4 addr show docker0` outputs the gateway IP assigned to the bridge.
-    const output = execSync('ip -4 addr show docker0 2>/dev/null', { encoding: 'utf-8' });
-    const match = output.match(/inet\s+(\d+\.\d+\.\d+\.\d+)/);
-    if (match) return match[1];
-  } catch {
-    // docker0 interface may not exist (e.g. rootless Docker, custom networks)
-  }
-  // Fallback: bind to localhost when docker0 is unavailable (e.g. rootless
-  // Docker, custom networks). This avoids EADDRNOTAVAIL from 172.17.0.1 while
-  // keeping the proxy off public interfaces — 0.0.0.0 would expose the
-  // unauthenticated credential proxy to the network. Docker containers won't
-  // be able to reach localhost on the host, but that's a safer failure mode.
-  return '127.0.0.1';
-}
-
 class ShellTool implements Tool {
   name = 'bash';
   description = 'Execute a shell command on the local machine';
@@ -153,7 +126,6 @@ class ShellTool implements Tool {
     const sandboxConfig = context.sandboxOverride != null
       ? { ...config.sandbox, enabled: context.sandboxOverride }
       : config.sandbox;
-    const isDockerSandbox = sandboxConfig.enabled && sandboxConfig.backend === 'docker';
 
     // Acquire proxy session if proxied mode is requested.
     // `getOrStartSession` serializes per-conversation so concurrent proxied
@@ -170,9 +142,9 @@ class ShellTool implements Tool {
           undefined,
           getDataDir(),
           context.proxyApprovalCallback,
-          isDockerSandbox ? { listenHost: getDockerProxyHost() } : undefined,
+          undefined,
         );
-        proxyEnv = getSessionEnv(session.id, { dockerMode: isDockerSandbox });
+        proxyEnv = getSessionEnv(session.id);
       } catch (err) {
         log.error({ err }, 'Failed to start proxy session');
         return {