@vellumai/assistant 0.3.3 → 0.3.5

package/src/tools/skills/vellum-catalog.ts

@@ -1,20 +1,10 @@
-import { existsSync, readdirSync, readFileSync, statSync } from 'node:fs';
-import { basename, join } from 'node:path';
-
 import { RiskLevel } from '../../permissions/types.js';
 import type { ToolDefinition } from '../../providers/types.js';
+import { parseFrontmatterFields } from '../../skills/frontmatter.js';
 import { createManagedSkill } from '../../skills/managed-store.js';
-import { getLogger } from '../../util/logger.js';
+import { fetchCatalogEntries, fetchSkillContent, checkVellumSkill } from '../../skills/vellum-catalog-remote.js';
 import type { Tool, ToolContext, ToolExecutionResult } from '../types.js';
 
-const log = getLogger('vellum-skills-catalog');
-
-const FRONTMATTER_REGEX = /^---\r?\n([\s\S]*?)\r?\n---(?:\r?\n|$)/;
-
-function getVellumSkillsDir(): string {
-  return join(import.meta.dir, '..', '..', 'config', 'vellum-skills');
-}
-
 export interface CatalogEntry {
   id: string;
   name: string;
@@ -23,123 +13,75 @@ export interface CatalogEntry {
   includes?: string[];
 }
 
-function parseCatalogEntry(directory: string): CatalogEntry | null {
-  const skillFilePath = join(directory, 'SKILL.md');
-  if (!existsSync(skillFilePath)) return null;
-
-  try {
-    const stat = statSync(skillFilePath);
-    if (!stat.isFile()) return null;
-
-    const content = readFileSync(skillFilePath, 'utf-8');
-    const match = content.match(FRONTMATTER_REGEX);
-    if (!match) return null;
-
-    const fields: Record<string, string> = {};
-    for (const line of match[1].split(/\r?\n/)) {
-      const trimmed = line.trim();
-      if (!trimmed || trimmed.startsWith('#')) continue;
-      const separatorIndex = trimmed.indexOf(':');
-      if (separatorIndex === -1) continue;
-
-      const key = trimmed.slice(0, separatorIndex).trim();
-      let value = trimmed.slice(separatorIndex + 1).trim();
-      if ((value.startsWith('"') && value.endsWith('"')) || (value.startsWith("'") && value.endsWith("'"))) {
-        value = value.slice(1, -1);
-      }
-      fields[key] = value;
-    }
-
-    const name = fields.name?.trim();
-    const description = fields.description?.trim();
-    if (!name || !description) return null;
+export { fetchCatalogEntries as listCatalogEntries, checkVellumSkill };
 
-    let emoji: string | undefined;
-    const metadataRaw = fields.metadata?.trim();
-    if (metadataRaw) {
-      try {
-        const parsed = JSON.parse(metadataRaw);
-        if (parsed?.vellum?.emoji) {
-          emoji = parsed.vellum.emoji as string;
-        }
-      } catch {
-        // ignore malformed metadata
-      }
-    }
-
-    let includes: string[] | undefined;
-    const includesRaw = fields.includes?.trim();
-    if (includesRaw) {
-      try {
-        const parsed = JSON.parse(includesRaw);
-        if (Array.isArray(parsed) && parsed.every((item: unknown) => typeof item === 'string')) {
-          const filtered = (parsed as string[]).map((s) => s.trim()).filter((s) => s.length > 0);
-          if (filtered.length > 0) includes = filtered;
-        }
-      } catch {
-        // ignore malformed includes
-      }
-    }
+/**
+ * Install a skill from the vellum-skills catalog by ID.
+ * Fetches SKILL.md from GitHub (with bundled fallback) and creates a managed skill.
+ * Returns { success, skillName, error }.
+ */
+export async function installFromVellumCatalog(skillId: string, options?: { overwrite?: boolean }): Promise<{ success: boolean; skillName?: string; error?: string }> {
+  const trimmedId = skillId.trim();
 
-    return { id: basename(directory), name, description, emoji, includes };
-  } catch (err) {
-    log.warn({ err, directory }, 'Failed to read catalog entry');
-    return null;
+  // Verify skill exists in catalog
+  const exists = await checkVellumSkill(trimmedId);
+  if (!exists) {
+    return { success: false, error: `Skill "${trimmedId}" not found in the Vellum catalog` };
   }
-}
-
-export function listCatalogEntries(): CatalogEntry[] {
-  const catalogDir = getVellumSkillsDir();
-  if (!existsSync(catalogDir)) return [];
 
-  const entries: CatalogEntry[] = [];
-  try {
-    const dirEntries = readdirSync(catalogDir, { withFileTypes: true });
-    for (const entry of dirEntries) {
-      if (!entry.isDirectory()) continue;
-      const parsed = parseCatalogEntry(join(catalogDir, entry.name));
-      if (parsed) entries.push(parsed);
-    }
-  } catch (err) {
-    log.warn({ err, catalogDir }, 'Failed to list catalog entries');
+  // Fetch SKILL.md content (remote with bundled fallback)
+  const content = await fetchSkillContent(trimmedId);
+  if (!content) {
+    return { success: false, error: `Skill "${trimmedId}" SKILL.md not found` };
   }
 
-  return entries.sort((a, b) => a.id.localeCompare(b.id));
-}
+  const parsed = parseFrontmatterFields(content);
+  if (!parsed) {
+    return { success: false, error: `Skill "${trimmedId}" has invalid SKILL.md` };
+  }
 
-/**
- * Install a skill from the vellum-skills catalog by ID.
- * Returns { success, skillName, error }.
- */
-export function installFromVellumCatalog(skillId: string): { success: boolean; skillName?: string; error?: string } {
-  const catalogDir = getVellumSkillsDir();
-  const skillDir = join(catalogDir, skillId.trim());
-  const skillFilePath = join(skillDir, 'SKILL.md');
+  const { fields, body: bodyMarkdown } = parsed;
 
-  if (!existsSync(skillFilePath)) {
-    return { success: false, error: `Skill "${skillId}" not found in the Vellum catalog` };
+  const name = fields.name?.trim();
+  const description = fields.description?.trim();
+  if (!name || !description) {
+    return { success: false, error: `Skill "${trimmedId}" has invalid SKILL.md (missing name or description)` };
   }
 
-  const content = readFileSync(skillFilePath, 'utf-8');
-  const match = content.match(FRONTMATTER_REGEX);
-  if (!match) {
-    return { success: false, error: `Skill "${skillId}" has invalid SKILL.md` };
+  let emoji: string | undefined;
+  const metadataRaw = fields.metadata?.trim();
+  if (metadataRaw) {
+    try {
+      const metaObj = JSON.parse(metadataRaw);
+      if (metaObj?.vellum?.emoji) {
+        emoji = metaObj.vellum.emoji as string;
+      }
+    } catch {
+      // ignore malformed metadata
+    }
   }
 
-  const entry = parseCatalogEntry(skillDir);
-  if (!entry) {
-    return { success: false, error: `Skill "${skillId}" has invalid SKILL.md` };
+  let includes: string[] | undefined;
+  const includesRaw = fields.includes?.trim();
+  if (includesRaw) {
+    try {
+      const includesObj = JSON.parse(includesRaw);
+      if (Array.isArray(includesObj) && includesObj.every((item: unknown) => typeof item === 'string')) {
+        const filtered = (includesObj as string[]).map((s) => s.trim()).filter((s) => s.length > 0);
+        if (filtered.length > 0) includes = filtered;
+      }
+    } catch {
+      // ignore malformed includes
+    }
   }
-
-  const bodyMarkdown = content.slice(match[0].length);
   const result = createManagedSkill({
-    id: entry.id,
-    name: entry.name,
-    description: entry.description,
+    id: trimmedId,
+    name,
+    description,
     bodyMarkdown,
-    emoji: entry.emoji,
-    includes: entry.includes,
-    overwrite: true,
+    emoji,
+    includes,
+    overwrite: options?.overwrite ?? true,
     addToIndex: true,
   });
 
@@ -147,7 +89,7 @@ export function installFromVellumCatalog(skillId: string): { success: boolean; s
     return { success: false, error: result.error };
   }
 
-  return { success: true, skillName: entry.id };
+  return { success: true, skillName: trimmedId };
 }
 
 class VellumSkillsCatalogTool implements Tool {
@@ -187,7 +129,7 @@ class VellumSkillsCatalogTool implements Tool {
 
     switch (action) {
       case 'list': {
-        const entries = listCatalogEntries();
+        const entries = await fetchCatalogEntries();
         if (entries.length === 0) {
           return { content: 'No Vellum-provided skills available in the catalog.', isError: false };
         }
@@ -200,52 +142,15 @@ class VellumSkillsCatalogTool implements Tool {
           return { content: 'Error: skill_id is required for install action', isError: true };
         }
 
-        const catalogDir = getVellumSkillsDir();
-        const skillDir = join(catalogDir, skillId.trim());
-        const skillFilePath = join(skillDir, 'SKILL.md');
-
-        if (!existsSync(skillFilePath)) {
-          const available = listCatalogEntries().map((e) => e.id);
-          return {
-            content: `Error: skill "${skillId}" not found in the Vellum catalog. Available: ${available.join(', ') || 'none'}`,
-            isError: true,
-          };
-        }
-
-        const content = readFileSync(skillFilePath, 'utf-8');
-        const match = content.match(FRONTMATTER_REGEX);
-        if (!match) {
-          return { content: `Error: skill "${skillId}" has invalid SKILL.md (missing frontmatter)`, isError: true };
-        }
-
-        const entry = parseCatalogEntry(skillDir);
-        if (!entry) {
-          return { content: `Error: skill "${skillId}" has invalid SKILL.md`, isError: true };
-        }
-
-        const bodyMarkdown = content.slice(match[0].length);
-
-        const result = createManagedSkill({
-          id: entry.id,
-          name: entry.name,
-          description: entry.description,
-          bodyMarkdown,
-          emoji: entry.emoji,
-          includes: entry.includes,
-          overwrite: input.overwrite === true,
-          addToIndex: true,
-        });
-
-        if (!result.created) {
+        const result = await installFromVellumCatalog(skillId, { overwrite: input.overwrite === true });
+        if (!result.success) {
           return { content: `Error: ${result.error}`, isError: true };
         }
 
         return {
           content: JSON.stringify({
             installed: true,
-            skill_id: entry.id,
-            name: entry.name,
-            path: result.path,
+            skill_id: result.skillName,
           }),
           isError: false,
         };

package/src/tools/terminal/parser.ts

@@ -36,7 +36,7 @@ export interface ParsedCommand {
 }
 
 const SHELL_PROGRAMS = new Set(['sh', 'bash', 'zsh', 'dash', 'ksh', 'fish']);
-const OPAQUE_PROGRAMS = new Set(['eval', 'source']);
+const OPAQUE_PROGRAMS = new Set(['eval', 'source', 'alias']);
 const DANGEROUS_ENV_VARS = new Set([
   'LD_PRELOAD', 'LD_LIBRARY_PATH',
   'DYLD_INSERT_LIBRARIES', 'DYLD_LIBRARY_PATH', 'DYLD_FRAMEWORK_PATH',
@@ -89,17 +89,33 @@ const initGuard = new PromiseGuard<void>();
  */
 function findWasmPath(pkg: string, file: string): string {
   const dir = import.meta.dirname ?? __dirname;
-  const sourcePath = join(dir, '..', '..', '..', 'node_modules', pkg, file);
 
-  if (!existsSync(sourcePath) && dir.startsWith('/$bunfs/')) {
+  // In compiled Bun binaries, import.meta.dirname points into the virtual
+  // /$bunfs/ filesystem.  Prefer bundled WASM assets shipped alongside the
+  // executable before falling back to process.cwd(), so we never accidentally
+  // pick up a mismatched version from the working directory.
+  if (dir.startsWith('/$bunfs/')) {
     const execDir = dirname(process.execPath);
     // macOS .app bundle: binary is in Contents/MacOS/, resources in Contents/Resources/
     const resourcesPath = join(execDir, '..', 'Resources', file);
     if (existsSync(resourcesPath)) return resourcesPath;
-    // Fallback: next to the binary itself (non-app-bundle deployments)
-    return join(execDir, file);
+    // Next to the binary itself (non-app-bundle deployments)
+    const execDirPath = join(execDir, file);
+    if (existsSync(execDirPath)) return execDirPath;
+    // Last resort: resolve from process.cwd() (the assistant/ directory)
+    const cwdPath = join(process.cwd(), 'node_modules', pkg, file);
+    if (existsSync(cwdPath)) return cwdPath;
+    return execDirPath;
   }
 
+  const sourcePath = join(dir, '..', '..', '..', 'node_modules', pkg, file);
+
+  if (existsSync(sourcePath)) return sourcePath;
+
+  // Fallback: resolve from process.cwd() (the assistant/ directory).
+  const cwdPath = join(process.cwd(), 'node_modules', pkg, file);
+  if (existsSync(cwdPath)) return cwdPath;
+
   return sourcePath;
 }
 

package/src/tools/types.ts

@@ -87,6 +87,8 @@ export interface ToolContext {
   workingDir: string;
   sessionId: string;
   conversationId: string;
+  /** Logical assistant scope for multi-assistant routing. */
+  assistantId?: string;
   /** When set, the tool execution is part of a task run. Used to retrieve ephemeral permission rules. */
   taskRunId?: string;
   /** Per-message request ID for log correlation across session/connection boundaries. */

package/src/twitter/router.ts

@@ -41,7 +41,7 @@ export async function routedPostTweet(
   if (strategy === 'oauth') {
     // User explicitly wants OAuth
     if (!oauthIsAvailable()) {
-      throw Object.assign(new Error('OAuth is not configured. Set up OAuth credentials in Settings, or switch to browser strategy: `vellum x strategy set browser`.'), {
+      throw Object.assign(new Error('OAuth is not configured. Provide your X developer credentials here in the chat to set up OAuth, or switch to browser strategy: `vellum x strategy set browser`.'), {
         pathUsed: 'oauth' as const,
         suggestAlternative: 'browser' as const,
       });

package/src/util/platform.ts

@@ -1,4 +1,4 @@
-import { mkdirSync, existsSync, statSync, unlinkSync, renameSync, readFileSync, writeFileSync, readdirSync } from 'node:fs';
+import { mkdirSync, existsSync, statSync, unlinkSync, renameSync, readFileSync, writeFileSync, readdirSync, chmodSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 import { homedir } from 'node:os';
 /**
@@ -45,6 +45,41 @@ export function getClipboardCommand(): string | null {
   return null;
 }
 
+/**
+ * Read and parse the lockfile, trying the primary path (~/.vellum.lock.json)
+ * first, then falling back to the legacy path (~/.vellum.lockfile.json).
+ * Respects BASE_DATA_DIR for non-standard home directories.
+ * Returns null if neither file exists or both are malformed.
+ */
+export function readLockfile(): Record<string, unknown> | null {
+  const base = process.env.BASE_DATA_DIR?.trim() || homedir();
+  const candidates = [
+    join(base, '.vellum.lock.json'),
+    join(base, '.vellum.lockfile.json'),
+  ];
+  for (const lockPath of candidates) {
+    if (!existsSync(lockPath)) continue;
+    try {
+      const raw = JSON.parse(readFileSync(lockPath, 'utf-8'));
+      if (raw && typeof raw === 'object' && !Array.isArray(raw)) {
+        return raw as Record<string, unknown>;
+      }
+    } catch {
+      // malformed JSON — try next
+    }
+  }
+  return null;
+}
+
+/**
+ * Write data to the primary lockfile (~/.vellum.lock.json).
+ * Respects BASE_DATA_DIR for non-standard home directories.
+ */
+export function writeLockfile(data: Record<string, unknown>): void {
+  const base = process.env.BASE_DATA_DIR?.trim() || homedir();
+  writeFileSync(join(base, '.vellum.lock.json'), JSON.stringify(data, null, 2) + '\n');
+}
+
 /**
  * Returns the root ~/.vellum directory. User-facing files (config, prompt
  * files, skills) and runtime files (socket, PID) live here.
@@ -565,6 +600,13 @@ export function ensureDataDir(): void {
       mkdirSync(dir, { recursive: true });
     }
   }
+  // Lock down the root directory so only the owner can traverse it.
+  // Runtime files (socket, session token, PID) live directly under root.
+  try {
+    chmodSync(root, 0o700);
+  } catch {
+    // Non-fatal: some filesystems don't support Unix permissions
+  }
 }
 
 /**

package/src/util/retry.ts

@@ -58,10 +58,10 @@ export function getHttpRetryDelay(
     const parsed = parseRetryAfterMs(retryAfter);
     if (parsed !== undefined) return parsed;
   }
-  // Enforce a minimum floor of baseDelayMs when Retry-After is missing.
-  // computeRetryDelay uses equal jitter (cap/2 + random*cap/2) which can
-  // dip to ~500ms on attempt 0 — too aggressive for 429 rate limits.
-  return Math.max(baseDelayMs, computeRetryDelay(attempt, baseDelayMs));
+  // For attempt 0, double the base so jitter range [baseDelayMs, 2*baseDelayMs) stays above the floor.
+  // For attempt >= 1, use the original base — jitter is already above baseDelayMs.
+  const effectiveBase = attempt === 0 ? baseDelayMs * 2 : baseDelayMs;
+  return Math.max(baseDelayMs, computeRetryDelay(attempt, effectiveBase));
 }
 
 /**