@vellumai/assistant 0.3.2 → 0.3.4

package/src/tools/skills/vellum-catalog.ts

@@ -1,21 +1,11 @@
-import { existsSync, readdirSync, readFileSync, statSync } from 'node:fs';
-import { basename, join } from 'node:path';
-
 import { RiskLevel } from '../../permissions/types.js';
 import type { ToolDefinition } from '../../providers/types.js';
+import { parseFrontmatterFields } from '../../skills/frontmatter.js';
 import { createManagedSkill } from '../../skills/managed-store.js';
-import { getLogger } from '../../util/logger.js';
+import { fetchCatalogEntries, fetchSkillContent, checkVellumSkill } from '../../skills/vellum-catalog-remote.js';
 import type { Tool, ToolContext, ToolExecutionResult } from '../types.js';
 
-const log = getLogger('vellum-skills-catalog');
-
-const FRONTMATTER_REGEX = /^---\r?\n([\s\S]*?)\r?\n---(?:\r?\n|$)/;
-
-function getVellumSkillsDir(): string {
-  return join(import.meta.dir, '..', '..', 'config', 'vellum-skills');
-}
-
-interface CatalogEntry {
+export interface CatalogEntry {
   id: string;
   name: string;
   description: string;
@@ -23,88 +13,83 @@ interface CatalogEntry {
   includes?: string[];
 }
 
-function parseCatalogEntry(directory: string): CatalogEntry | null {
-  const skillFilePath = join(directory, 'SKILL.md');
-  if (!existsSync(skillFilePath)) return null;
-
-  try {
-    const stat = statSync(skillFilePath);
-    if (!stat.isFile()) return null;
-
-    const content = readFileSync(skillFilePath, 'utf-8');
-    const match = content.match(FRONTMATTER_REGEX);
-    if (!match) return null;
-
-    const fields: Record<string, string> = {};
-    for (const line of match[1].split(/\r?\n/)) {
-      const trimmed = line.trim();
-      if (!trimmed || trimmed.startsWith('#')) continue;
-      const separatorIndex = trimmed.indexOf(':');
-      if (separatorIndex === -1) continue;
-
-      const key = trimmed.slice(0, separatorIndex).trim();
-      let value = trimmed.slice(separatorIndex + 1).trim();
-      if ((value.startsWith('"') && value.endsWith('"')) || (value.startsWith("'") && value.endsWith("'"))) {
-        value = value.slice(1, -1);
-      }
-      fields[key] = value;
-    }
+export { fetchCatalogEntries as listCatalogEntries, checkVellumSkill };
 
-    const name = fields.name?.trim();
-    const description = fields.description?.trim();
-    if (!name || !description) return null;
-
-    let emoji: string | undefined;
-    const metadataRaw = fields.metadata?.trim();
-    if (metadataRaw) {
-      try {
-        const parsed = JSON.parse(metadataRaw);
-        if (parsed?.vellum?.emoji) {
-          emoji = parsed.vellum.emoji as string;
-        }
-      } catch {
-        // ignore malformed metadata
-      }
-    }
+/**
+ * Install a skill from the vellum-skills catalog by ID.
+ * Fetches SKILL.md from GitHub (with bundled fallback) and creates a managed skill.
+ * Returns { success, skillName, error }.
+ */
+export async function installFromVellumCatalog(skillId: string, options?: { overwrite?: boolean }): Promise<{ success: boolean; skillName?: string; error?: string }> {
+  const trimmedId = skillId.trim();
 
-    let includes: string[] | undefined;
-    const includesRaw = fields.includes?.trim();
-    if (includesRaw) {
-      try {
-        const parsed = JSON.parse(includesRaw);
-        if (Array.isArray(parsed) && parsed.every((item: unknown) => typeof item === 'string')) {
-          const filtered = (parsed as string[]).map((s) => s.trim()).filter((s) => s.length > 0);
-          if (filtered.length > 0) includes = filtered;
-        }
-      } catch {
-        // ignore malformed includes
+  // Verify skill exists in catalog
+  const exists = await checkVellumSkill(trimmedId);
+  if (!exists) {
+    return { success: false, error: `Skill "${trimmedId}" not found in the Vellum catalog` };
+  }
+
+  // Fetch SKILL.md content (remote with bundled fallback)
+  const content = await fetchSkillContent(trimmedId);
+  if (!content) {
+    return { success: false, error: `Skill "${trimmedId}" SKILL.md not found` };
+  }
+
+  const parsed = parseFrontmatterFields(content);
+  if (!parsed) {
+    return { success: false, error: `Skill "${trimmedId}" has invalid SKILL.md` };
+  }
+
+  const { fields, body: bodyMarkdown } = parsed;
+
+  const name = fields.name?.trim();
+  const description = fields.description?.trim();
+  if (!name || !description) {
+    return { success: false, error: `Skill "${trimmedId}" has invalid SKILL.md (missing name or description)` };
+  }
+
+  let emoji: string | undefined;
+  const metadataRaw = fields.metadata?.trim();
+  if (metadataRaw) {
+    try {
+      const metaObj = JSON.parse(metadataRaw);
+      if (metaObj?.vellum?.emoji) {
+        emoji = metaObj.vellum.emoji as string;
       }
+    } catch {
+      // ignore malformed metadata
     }
-
-    return { id: basename(directory), name, description, emoji, includes };
-  } catch (err) {
-    log.warn({ err, directory }, 'Failed to read catalog entry');
-    return null;
   }
-}
 
-function listCatalogEntries(): CatalogEntry[] {
-  const catalogDir = getVellumSkillsDir();
-  if (!existsSync(catalogDir)) return [];
-
-  const entries: CatalogEntry[] = [];
-  try {
-    const dirEntries = readdirSync(catalogDir, { withFileTypes: true });
-    for (const entry of dirEntries) {
-      if (!entry.isDirectory()) continue;
-      const parsed = parseCatalogEntry(join(catalogDir, entry.name));
-      if (parsed) entries.push(parsed);
+  let includes: string[] | undefined;
+  const includesRaw = fields.includes?.trim();
+  if (includesRaw) {
+    try {
+      const includesObj = JSON.parse(includesRaw);
+      if (Array.isArray(includesObj) && includesObj.every((item: unknown) => typeof item === 'string')) {
+        const filtered = (includesObj as string[]).map((s) => s.trim()).filter((s) => s.length > 0);
+        if (filtered.length > 0) includes = filtered;
+      }
+    } catch {
+      // ignore malformed includes
     }
-  } catch (err) {
-    log.warn({ err, catalogDir }, 'Failed to list catalog entries');
+  }
+  const result = createManagedSkill({
+    id: trimmedId,
+    name,
+    description,
+    bodyMarkdown,
+    emoji,
+    includes,
+    overwrite: options?.overwrite ?? true,
+    addToIndex: true,
+  });
+
+  if (!result.created) {
+    return { success: false, error: result.error };
   }
 
-  return entries.sort((a, b) => a.id.localeCompare(b.id));
+  return { success: true, skillName: trimmedId };
 }
 
 class VellumSkillsCatalogTool implements Tool {
@@ -144,7 +129,7 @@ class VellumSkillsCatalogTool implements Tool {
 
     switch (action) {
       case 'list': {
-        const entries = listCatalogEntries();
+        const entries = await fetchCatalogEntries();
         if (entries.length === 0) {
           return { content: 'No Vellum-provided skills available in the catalog.', isError: false };
         }
@@ -157,52 +142,15 @@ class VellumSkillsCatalogTool implements Tool {
           return { content: 'Error: skill_id is required for install action', isError: true };
         }
 
-        const catalogDir = getVellumSkillsDir();
-        const skillDir = join(catalogDir, skillId.trim());
-        const skillFilePath = join(skillDir, 'SKILL.md');
-
-        if (!existsSync(skillFilePath)) {
-          const available = listCatalogEntries().map((e) => e.id);
-          return {
-            content: `Error: skill "${skillId}" not found in the Vellum catalog. Available: ${available.join(', ') || 'none'}`,
-            isError: true,
-          };
-        }
-
-        const content = readFileSync(skillFilePath, 'utf-8');
-        const match = content.match(FRONTMATTER_REGEX);
-        if (!match) {
-          return { content: `Error: skill "${skillId}" has invalid SKILL.md (missing frontmatter)`, isError: true };
-        }
-
-        const entry = parseCatalogEntry(skillDir);
-        if (!entry) {
-          return { content: `Error: skill "${skillId}" has invalid SKILL.md`, isError: true };
-        }
-
-        const bodyMarkdown = content.slice(match[0].length);
-
-        const result = createManagedSkill({
-          id: entry.id,
-          name: entry.name,
-          description: entry.description,
-          bodyMarkdown,
-          emoji: entry.emoji,
-          includes: entry.includes,
-          overwrite: input.overwrite === true,
-          addToIndex: true,
-        });
-
-        if (!result.created) {
+        const result = await installFromVellumCatalog(skillId, { overwrite: input.overwrite === true });
+        if (!result.success) {
           return { content: `Error: ${result.error}`, isError: true };
         }
 
         return {
           content: JSON.stringify({
             installed: true,
-            skill_id: entry.id,
-            name: entry.name,
-            path: result.path,
+            skill_id: result.skillName,
           }),
           isError: false,
         };

package/src/tools/subagent/spawn.ts

@@ -8,6 +8,7 @@ export async function executeSubagentSpawn(
   const label = input.label as string;
   const objective = input.objective as string;
   const extraContext = input.context as string | undefined;
+  const sendResultToUser = input.send_result_to_user !== false;
 
   if (!label || !objective) {
     return { content: 'Both "label" and "objective" are required.', isError: true };
@@ -26,6 +27,7 @@ export async function executeSubagentSpawn(
         label,
         objective,
         context: extraContext,
+        sendResultToUser,
       },
       sendToClient as (msg: unknown) => void,
     );

package/src/tools/terminal/parser.ts

@@ -36,7 +36,7 @@ export interface ParsedCommand {
 }
 
 const SHELL_PROGRAMS = new Set(['sh', 'bash', 'zsh', 'dash', 'ksh', 'fish']);
-const OPAQUE_PROGRAMS = new Set(['eval', 'source']);
+const OPAQUE_PROGRAMS = new Set(['eval', 'source', 'alias']);
 const DANGEROUS_ENV_VARS = new Set([
   'LD_PRELOAD', 'LD_LIBRARY_PATH',
   'DYLD_INSERT_LIBRARIES', 'DYLD_LIBRARY_PATH', 'DYLD_FRAMEWORK_PATH',
@@ -89,17 +89,33 @@ const initGuard = new PromiseGuard<void>();
  */
 function findWasmPath(pkg: string, file: string): string {
   const dir = import.meta.dirname ?? __dirname;
-  const sourcePath = join(dir, '..', '..', '..', 'node_modules', pkg, file);
 
-  if (!existsSync(sourcePath) && dir.startsWith('/$bunfs/')) {
+  // In compiled Bun binaries, import.meta.dirname points into the virtual
+  // /$bunfs/ filesystem.  Prefer bundled WASM assets shipped alongside the
+  // executable before falling back to process.cwd(), so we never accidentally
+  // pick up a mismatched version from the working directory.
+  if (dir.startsWith('/$bunfs/')) {
     const execDir = dirname(process.execPath);
     // macOS .app bundle: binary is in Contents/MacOS/, resources in Contents/Resources/
     const resourcesPath = join(execDir, '..', 'Resources', file);
     if (existsSync(resourcesPath)) return resourcesPath;
-    // Fallback: next to the binary itself (non-app-bundle deployments)
-    return join(execDir, file);
+    // Next to the binary itself (non-app-bundle deployments)
+    const execDirPath = join(execDir, file);
+    if (existsSync(execDirPath)) return execDirPath;
+    // Last resort: resolve from process.cwd() (the assistant/ directory)
+    const cwdPath = join(process.cwd(), 'node_modules', pkg, file);
+    if (existsSync(cwdPath)) return cwdPath;
+    return execDirPath;
   }
 
+  const sourcePath = join(dir, '..', '..', '..', 'node_modules', pkg, file);
+
+  if (existsSync(sourcePath)) return sourcePath;
+
+  // Fallback: resolve from process.cwd() (the assistant/ directory).
+  const cwdPath = join(process.cwd(), 'node_modules', pkg, file);
+  if (existsSync(cwdPath)) return cwdPath;
+
   return sourcePath;
 }
 

package/src/util/platform.ts

@@ -1,4 +1,4 @@
-import { mkdirSync, existsSync, statSync, unlinkSync, renameSync, readFileSync, writeFileSync, readdirSync } from 'node:fs';
+import { mkdirSync, existsSync, statSync, unlinkSync, renameSync, readFileSync, writeFileSync, readdirSync, chmodSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 import { homedir } from 'node:os';
 /**
@@ -565,6 +565,13 @@ export function ensureDataDir(): void {
       mkdirSync(dir, { recursive: true });
     }
   }
+  // Lock down the root directory so only the owner can traverse it.
+  // Runtime files (socket, session token, PID) live directly under root.
+  try {
+    chmodSync(root, 0o700);
+  } catch {
+    // Non-fatal: some filesystems don't support Unix permissions
+  }
 }
 
 /**

package/src/util/retry.ts

@@ -58,10 +58,10 @@ export function getHttpRetryDelay(
     const parsed = parseRetryAfterMs(retryAfter);
     if (parsed !== undefined) return parsed;
   }
-  // Enforce a minimum floor of baseDelayMs when Retry-After is missing.
-  // computeRetryDelay uses equal jitter (cap/2 + random*cap/2) which can
-  // dip to ~500ms on attempt 0 — too aggressive for 429 rate limits.
-  return Math.max(baseDelayMs, computeRetryDelay(attempt, baseDelayMs));
+  // For attempt 0, double the base so jitter range [baseDelayMs, 2*baseDelayMs) stays above the floor.
+  // For attempt >= 1, use the original base — jitter is already above baseDelayMs.
+  const effectiveBase = attempt === 0 ? baseDelayMs * 2 : baseDelayMs;
+  return Math.max(baseDelayMs, computeRetryDelay(attempt, effectiveBase));
 }
 
 /**