@vellumai/assistant 0.3.4 → 0.3.6

package/src/migrations/workspace-layout.ts

@@ -0,0 +1,79 @@
+import { existsSync, mkdirSync, renameSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { getRootDir, getWorkspaceDir } from '../util/platform.js';
+import { migrationLog } from './log.js';
+import { mergeSkippedConfigKeys } from './config-merge.js';
+import { mergeLegacyHooks } from './hooks-merge.js';
+import { mergeLegacySkills } from './skills-merge.js';
+import { mergeLegacyDataEntries } from './data-merge.js';
+
+/**
+ * Idempotent move: relocates source to destination for migration.
+ * - No-op if source is missing (already migrated or never existed).
+ * - No-op if destination already exists (avoids clobbering).
+ * - Creates destination parent directories as needed.
+ * - Logs warning on failure instead of throwing.
+ *
+ * Exported for testing; not intended for general use outside migrations.
+ */
+export function migratePath(source: string, destination: string): void {
+  if (!existsSync(source)) return;
+  if (existsSync(destination)) {
+    migrationLog('debug', 'Migration skipped: destination already exists', { source, destination });
+    return;
+  }
+  try {
+    const destDir = dirname(destination);
+    if (!existsSync(destDir)) {
+      mkdirSync(destDir, { recursive: true });
+    }
+    renameSync(source, destination);
+    migrationLog('info', 'Migrated path', { from: source, to: destination });
+  } catch (err) {
+    migrationLog('warn', 'Failed to migrate path', { err: String(err), from: source, to: destination });
+  }
+}
+
+/**
+ * Migrate from the flat ~/.vellum layout to the workspace-based layout.
+ *
+ * Step (a) is special: if the workspace dir doesn't exist yet but the old
+ * sandbox working dir (data/sandbox/fs) does, its contents are "extracted"
+ * to become the new workspace root via rename. All subsequent moves then
+ * land inside that workspace directory.
+ *
+ * Idempotent: safe to call on every startup — already-migrated items are
+ * skipped, and a second run is a no-op.
+ */
+export function migrateToWorkspaceLayout(): void {
+  const root = getRootDir();
+  if (!existsSync(root)) return;
+
+  const ws = getWorkspaceDir();
+
+  // (a) Extract data/sandbox/fs -> workspace (only when workspace doesn't exist yet)
+  if (!existsSync(ws)) {
+    const sandboxFs = join(root, 'data', 'sandbox', 'fs');
+    if (existsSync(sandboxFs)) {
+      try {
+        renameSync(sandboxFs, ws);
+        migrationLog('info', 'Extracted sandbox/fs as workspace root', { from: sandboxFs, to: ws });
+      } catch (err) {
+        migrationLog('warn', 'Failed to extract sandbox/fs', { err: String(err), from: sandboxFs, to: ws });
+      }
+    }
+  }
+
+  // (b)-(h) Move legacy root-level items into workspace
+  migratePath(join(root, 'config.json'), join(ws, 'config.json'));
+  mergeSkippedConfigKeys(join(root, 'config.json'), join(ws, 'config.json'));
+  migratePath(join(root, 'data'), join(ws, 'data'));
+  mergeLegacyDataEntries(join(root, 'data'), join(ws, 'data'));
+  migratePath(join(root, 'hooks'), join(ws, 'hooks'));
+  mergeLegacyHooks(join(root, 'hooks'), join(ws, 'hooks'));
+  migratePath(join(root, 'IDENTITY.md'), join(ws, 'IDENTITY.md'));
+  migratePath(join(root, 'skills'), join(ws, 'skills'));
+  mergeLegacySkills(join(root, 'skills'), join(ws, 'skills'));
+  migratePath(join(root, 'SOUL.md'), join(ws, 'SOUL.md'));
+  migratePath(join(root, 'USER.md'), join(ws, 'USER.md'));
+}

package/src/permissions/checker.ts

@@ -1,6 +1,6 @@
+import { createHash } from 'node:crypto';
 import { RiskLevel, type PermissionCheckResult, type AllowlistOption, type ScopeOption, type PolicyContext } from './types.js';
-import { findHighestPriorityRule } from './trust-store.js';
-import { parse } from '../tools/terminal/parser.js';
+import { findHighestPriorityRule, onRulesChanged } from './trust-store.js';
 import { resolveSkillSelector } from '../config/skills.js';
 import { computeSkillVersionHash } from '../skills/version-hash.js';
 import { getTool } from '../tools/registry.js';
@@ -11,7 +11,32 @@ import { homedir } from 'node:os';
 import { looksLikeHostPortShorthand, looksLikePathOnlyInput } from '../tools/network/url-safety.js';
 import { normalizeFilePath, isSkillSourcePath } from '../skills/path-classifier.js';
 import { isWorkspaceScopedInvocation } from './workspace-policy.js';
-import { buildShellCommandCandidates, buildShellAllowlistOptions, type ParsedCommand } from './shell-identity.js';
+import { buildShellCommandCandidates, buildShellAllowlistOptions, cachedParse, type ParsedCommand } from './shell-identity.js';
+import type { ManifestOverride } from '../tools/execution-target.js';
+
+// ── Risk classification cache ────────────────────────────────────────────────
+// classifyRisk() is called on every permission check and can invoke WASM
+// parsing for shell commands. Cache results keyed on (toolName, inputHash).
+// Invalidated when trust rules change since risk classification for file tools
+// depends on skill source path checks which reference config, but the core
+// risk logic is input-deterministic.
+const RISK_CACHE_MAX = 256;
+const riskCache = new Map<string, RiskLevel>();
+
+function riskCacheKey(toolName: string, input: Record<string, unknown>): string {
+  const inputJson = JSON.stringify(input);
+  const hash = createHash('sha256').update(inputJson).digest('hex');
+  return `${toolName}\0${hash}`;
+}
+
+/** Clear the risk classification cache. Called when trust rules change. */
+export function clearRiskCache(): void {
+  riskCache.clear();
+}
+
+// Invalidate risk cache whenever trust rules change so that risk decisions
+// referencing config-dependent checks (e.g. skill source paths) stay fresh.
+onRulesChanged(clearRiskCache);
 
 // Ensures the legacy mode deprecation warning fires at most once per process.
 let _legacyDeprecationWarned = false;
@@ -32,8 +57,8 @@ const LOW_RISK_PROGRAMS = new Set([
   'man', 'help', 'info',
   'env', 'printenv', 'set',
   'diff', 'sort', 'uniq', 'cut', 'tr', 'tee', 'xargs',
-  'jq', 'yq', 'sed', 'awk',
-  'curl', 'wget', 'http', 'dig', 'nslookup', 'ping',
+  'jq', 'yq',
+  'http', 'dig', 'nslookup', 'ping',
   'tree', 'du', 'df',
 ]);
 
@@ -55,6 +80,41 @@ const LOW_RISK_GIT_SUBCOMMANDS = new Set([
   'cat-file', 'reflog',
 ]);
 
+// Commands that wrap another program — the real program appears as the first
+// non-flag argument.  When one of these is the segment program we look through
+// its args to find the effective program (e.g. `env curl …` → curl).
+const WRAPPER_PROGRAMS = new Set([
+  'env', 'nice', 'nohup', 'time', 'command', 'exec',
+  'strace', 'ltrace', 'ionice', 'taskset', 'timeout',
+]);
+
+// `env` flags that consume the next positional argument as their value.
+// Without this, `env -u curl echo` would incorrectly identify `curl` (the
+// value of -u) as the wrapped program instead of `echo`.
+const ENV_VALUE_FLAGS = new Set(['-u', '--unset', '-C', '--chdir']);
+
+/**
+ * Given a segment whose program is a known wrapper, return the first
+ * non-flag argument (i.e. the wrapped program name).  Returns `undefined`
+ * when no suitable argument is found.
+ *
+ * Handles `env` specially: skips `VAR=value` pairs and value-taking flags
+ * like `-u NAME` and `-C DIR`.
+ */
+function getWrappedProgram(seg: { program: string; args: string[] }): string | undefined {
+  const isEnv = seg.program === 'env';
+  for (let i = 0; i < seg.args.length; i++) {
+    const arg = seg.args[i];
+    if (arg.startsWith('-')) {
+      if (isEnv && ENV_VALUE_FLAGS.has(arg)) i++; // skip the value argument
+      continue;
+    }
+    if (isEnv && arg.includes('=')) continue;     // skip env VAR=value pairs
+    return arg;
+  }
+  return undefined;
+}
+
 function isHighRiskRm(args: string[]): boolean {
   // rm with -r, -rf, -fr, or targeting root/home
   for (const arg of args) {
@@ -244,7 +304,36 @@ async function buildCommandCandidates(toolName: string, input: Record<string, un
   return [...new Set(candidates)];
 }
 
-export async function classifyRisk(toolName: string, input: Record<string, unknown>, workingDir?: string, preParsed?: ParsedCommand): Promise<RiskLevel> {
+export async function classifyRisk(toolName: string, input: Record<string, unknown>, workingDir?: string, preParsed?: ParsedCommand, manifestOverride?: ManifestOverride, signal?: AbortSignal): Promise<RiskLevel> {
+  if (signal?.aborted) throw new Error('Cancelled');
+
+  // Check cache first (skip when preParsed is provided since caller already
+  // parsed and we'd just be duplicating the key computation cost).
+  const cacheKey = preParsed ? null : riskCacheKey(toolName, input);
+  if (cacheKey) {
+    const cached = riskCache.get(cacheKey);
+    if (cached !== undefined) {
+      // LRU refresh
+      riskCache.delete(cacheKey);
+      riskCache.set(cacheKey, cached);
+      return cached;
+    }
+  }
+
+  const result = await classifyRiskUncached(toolName, input, workingDir, preParsed, manifestOverride);
+
+  if (cacheKey) {
+    if (riskCache.size >= RISK_CACHE_MAX) {
+      const oldest = riskCache.keys().next().value;
+      if (oldest !== undefined) riskCache.delete(oldest);
+    }
+    riskCache.set(cacheKey, result);
+  }
+
+  return result;
+}
+
+async function classifyRiskUncached(toolName: string, input: Record<string, unknown>, workingDir?: string, preParsed?: ParsedCommand, manifestOverride?: ManifestOverride): Promise<RiskLevel> {
   if (toolName === 'file_read') return RiskLevel.Low;
   if (toolName === 'file_write' || toolName === 'file_edit') {
     const filePath = getStringField(input, 'path', 'file_path');
@@ -284,7 +373,7 @@ export async function classifyRisk(toolName: string, input: Record<string, unkno
     const command = (input.command as string) ?? '';
     if (!command.trim()) return RiskLevel.Low;
 
-    const parsed = preParsed ?? await parse(command);
+    const parsed = preParsed ?? await cachedParse(command);
 
     // Dangerous patterns → High
     if (parsed.dangerousPatterns.length > 0) return RiskLevel.High;
@@ -306,11 +395,27 @@ export async function classifyRisk(toolName: string, input: Record<string, unkno
         continue;
       }
 
-      if (prog === 'chmod' || prog === 'chown' || prog === 'chgrp') {
+      if (prog === 'chmod' || prog === 'chown' || prog === 'chgrp'
+        || prog === 'sed' || prog === 'awk') {
         maxRisk = RiskLevel.Medium;
         continue;
       }
 
+      // curl/wget can download and execute arbitrary code from the internet.
+      // Also catch wrapped invocations like `env curl …` or `nice wget …`.
+      if (prog === 'curl' || prog === 'wget') {
+        maxRisk = RiskLevel.Medium;
+        continue;
+      }
+
+      if (WRAPPER_PROGRAMS.has(prog)) {
+        const wrapped = getWrappedProgram(seg);
+        if (wrapped === 'curl' || wrapped === 'wget') {
+          maxRisk = RiskLevel.Medium;
+          continue;
+        }
+      }
+
       if (prog === 'git') {
         const subcommand = seg.args[0];
         if (subcommand && LOW_RISK_GIT_SUBCOMMANDS.has(subcommand)) {
@@ -342,6 +447,13 @@ export async function classifyRisk(toolName: string, input: Record<string, unkno
   const tool = getTool(toolName);
   if (tool) return tool.defaultRiskLevel;
 
+  // Use manifest metadata for unregistered skill tools so the Permission
+  // Simulator shows accurate risk levels instead of defaulting to Medium.
+  if (manifestOverride) {
+    const riskMap: Record<string, RiskLevel> = { low: RiskLevel.Low, medium: RiskLevel.Medium, high: RiskLevel.High };
+    return riskMap[manifestOverride.risk] ?? RiskLevel.Medium;
+  }
+
   // Unknown tool → Medium
   return RiskLevel.Medium;
 }
@@ -351,17 +463,21 @@ export async function check(
   input: Record<string, unknown>,
   workingDir: string,
   policyContext?: PolicyContext,
+  manifestOverride?: ManifestOverride,
+  signal?: AbortSignal,
 ): Promise<PermissionCheckResult> {
+  if (signal?.aborted) throw new Error('Cancelled');
+
   // For shell tools, parse once and share the result to avoid duplicate tree-sitter work.
   let shellParsed: ParsedCommand | undefined;
   if (toolName === 'bash' || toolName === 'host_bash') {
     const command = ((input.command as string) ?? '').trim();
     if (command) {
-      shellParsed = await parse(command);
+      shellParsed = await cachedParse(command);
     }
   }
 
-  const risk = await classifyRisk(toolName, input, workingDir, shellParsed);
+  const risk = await classifyRisk(toolName, input, workingDir, shellParsed, manifestOverride, signal);
 
   // Build command string candidates for rule matching
   const commandCandidates = await buildCommandCandidates(toolName, input, workingDir, shellParsed);
@@ -406,11 +522,16 @@ export async function check(
   // Third-party skill-origin tools default to prompting when no trust rule
   // matches, regardless of risk level. Bundled skill tools are first-party
   // and trusted, so they fall through to the normal risk-based policy.
+  // When manifestOverride is present, the tool comes from a skill manifest
+  // but isn't registered — treat it as a third-party skill tool.
   if (!matchedRule) {
     const tool = getTool(toolName);
     if (tool?.origin === 'skill' && !tool.ownerSkillBundled) {
       return { decision: 'prompt', reason: 'Skill tool: requires approval by default' };
     }
+    if (!tool && manifestOverride) {
+      return { decision: 'prompt', reason: 'Skill tool: requires approval by default' };
+    }
   }
 
   // In strict mode, every tool without an explicit matching rule must be
@@ -486,7 +607,8 @@ function friendlyHostname(url: URL): string {
   return url.hostname.replace(/^www\./, '');
 }
 
-export async function generateAllowlistOptions(toolName: string, input: Record<string, unknown>): Promise<AllowlistOption[]> {
+export async function generateAllowlistOptions(toolName: string, input: Record<string, unknown>, signal?: AbortSignal): Promise<AllowlistOption[]> {
+  if (signal?.aborted) throw new Error('Cancelled');
   if (toolName === 'bash' || toolName === 'host_bash') {
     const command = ((input.command as string) ?? '').trim();
     return buildShellAllowlistOptions(command);

package/src/permissions/prompter.ts

@@ -43,12 +43,15 @@ export class PermissionPrompter {
     sessionId?: string,
     executionTarget?: ExecutionTarget,
     persistentDecisionsAllowed?: boolean,
+    signal?: AbortSignal,
   ): Promise<{
     decision: UserDecision;
     selectedPattern?: string;
     selectedScope?: string;
     decisionContext?: string;
   }> {
+    if (signal?.aborted) return { decision: 'deny' };
+
     const requestId = uuid();
 
     return new Promise((resolve, reject) => {
@@ -61,6 +64,17 @@ export class PermissionPrompter {
 
       this.pending.set(requestId, { resolve, reject, timer });
 
+      if (signal) {
+        const onAbort = () => {
+          if (this.pending.has(requestId)) {
+            clearTimeout(timer);
+            this.pending.delete(requestId);
+            resolve({ decision: 'deny' });
+          }
+        };
+        signal.addEventListener('abort', onAbort, { once: true });
+      }
+
       this.sendToClient({
         type: 'confirmation_request',
         requestId,

package/src/permissions/shell-identity.ts

@@ -3,6 +3,36 @@ import type { AllowlistOption } from './types.js';
 
 export type { ParsedCommand };
 
+// ── Shell parse result cache ─────────────────────────────────────────────────
+// Shell parsing via web-tree-sitter WASM is deterministic — the same command
+// string always produces the same ParsedCommand. Cache results to avoid
+// redundant WASM invocations on repeated permission checks.
+const PARSE_CACHE_MAX = 256;
+const parseCache = new Map<string, ParsedCommand>();
+
+export async function cachedParse(command: string): Promise<ParsedCommand> {
+  const cached = parseCache.get(command);
+  if (cached !== undefined) {
+    // LRU refresh: move to end of insertion order
+    parseCache.delete(command);
+    parseCache.set(command, cached);
+    return cached;
+  }
+  const result = await parse(command);
+  // Evict oldest entry if at capacity
+  if (parseCache.size >= PARSE_CACHE_MAX) {
+    const oldest = parseCache.keys().next().value;
+    if (oldest !== undefined) parseCache.delete(oldest);
+  }
+  parseCache.set(command, result);
+  return result;
+}
+
+/** Clear the shell parse cache. Exposed for testing. */
+export function clearShellParseCache(): void {
+  parseCache.clear();
+}
+
 export interface ShellActionKey {
   /** e.g. "action:gh", "action:gh pr", "action:gh pr view" */
   key: string;
@@ -40,7 +70,7 @@ const MAX_ACTION_KEY_DEPTH = 3;
  * identity information for permission decisions.
  */
 export async function analyzeShellCommand(command: string, preParsed?: ParsedCommand): Promise<ShellIdentityAnalysis> {
-  const parsed = preParsed ?? await parse(command);
+  const parsed = preParsed ?? await cachedParse(command);
 
   const operators: string[] = [];
   for (const seg of parsed.segments) {

package/src/permissions/trust-store.ts

@@ -21,6 +21,21 @@ interface TrustFile {
 let cachedRules: TrustRule[] | null = null;
 let cachedStarterBundleAccepted: boolean | null = null;
 
+// Callbacks invoked when trust rules change (add/update/remove/clear).
+// Used by the permission checker to invalidate dependent caches.
+const rulesChangedListeners: Array<() => void> = [];
+
+/** Register a callback to be invoked whenever trust rules change. */
+export function onRulesChanged(listener: () => void): void {
+  rulesChangedListeners.push(listener);
+}
+
+function notifyRulesChanged(): void {
+  for (const listener of rulesChangedListeners) {
+    listener();
+  }
+}
+
 /**
  * Cache of pre-compiled Minimatch objects keyed by pattern string.
  * Rebuilt whenever cachedRules changes. Avoids re-parsing glob patterns
@@ -326,7 +341,7 @@ function saveToDisk(rules: TrustRule[]): void {
 }
 
 function getRules(): TrustRule[] {
-  if (cachedRules === null) {
+  if (cachedRules == null) {
     cachedRules = loadFromDisk();
     rebuildPatternCache(cachedRules);
   }
@@ -368,6 +383,7 @@ export function addRule(
   cachedRules = rules;
   rebuildPatternCache(rules);
   saveToDisk(rules);
+  notifyRulesChanged();
   log.info({ rule }, 'Added trust rule');
   return rule;
 }
@@ -395,6 +411,7 @@ export function updateRule(
   cachedRules = rules;
   rebuildPatternCache(rules);
   saveToDisk(rules);
+  notifyRulesChanged();
   log.info({ rule }, 'Updated trust rule');
   return rule;
 }
@@ -412,6 +429,7 @@ export function removeRule(id: string): boolean {
   cachedRules = rules;
   rebuildPatternCache(rules);
   saveToDisk(rules);
+  notifyRulesChanged();
   log.info({ id }, 'Removed trust rule');
   return true;
 }
@@ -508,6 +526,7 @@ export function clearAllRules(): void {
   cachedRules = rules;
   rebuildPatternCache(rules);
   saveToDisk(rules);
+  notifyRulesChanged();
   log.info('Cleared all user trust rules (default rules preserved)');
 }
 
@@ -608,6 +627,7 @@ export function acceptStarterBundle(): AcceptStarterBundleResult {
   cachedRules = rules;
   rebuildPatternCache(rules);
   saveToDisk(rules);
+  notifyRulesChanged();
   log.info({ rulesAdded: added }, 'Starter approval bundle accepted');
 
   return { accepted: true, rulesAdded: added, alreadyAccepted: false };

package/src/providers/anthropic/client.ts

@@ -58,12 +58,12 @@ export const PLACEHOLDER_BLOCKS_OMITTED = '\x00__PLACEHOLDER__[internal blocks o
 
 /** Type-guard for tool_use blocks in Anthropic-formatted content. */
 function isToolUseBlock(block: unknown): block is Anthropic.ToolUseBlockParam {
-  return typeof block === 'object' && block !== null && (block as { type: string }).type === 'tool_use';
+  return typeof block === 'object' && block != null && (block as { type: string }).type === 'tool_use';
 }
 
 /** Type-guard for tool_result blocks in Anthropic-formatted content. */
 function isToolResultBlock(block: unknown): block is Anthropic.ToolResultBlockParam {
-  return typeof block === 'object' && block !== null && (block as { type: string }).type === 'tool_result';
+  return typeof block === 'object' && block != null && (block as { type: string }).type === 'tool_result';
 }
 
 /**
@@ -379,12 +379,12 @@ export class AnthropicProvider implements Provider {
         const content = m.content
           .map((block) => {
             const result = this.toAnthropicBlockSafe(block);
-            if (result === null) {
+            if (result == null) {
               droppedUnknownBlock = true;
             }
             return result;
           })
-          .filter((block): block is Anthropic.ContentBlockParam => block !== null)
+          .filter((block): block is Anthropic.ContentBlockParam => block != null)
           .filter((block) => !(block.type === 'text' && !(block as { text?: string }).text?.trim()));
 
         // Preserve assistant turns that would otherwise become empty after filtering

package/src/providers/failover.ts

@@ -77,7 +77,7 @@ export class FailoverProvider implements Provider {
       const now = Date.now();
 
       // Skip providers that are still in cooldown
-      if (health.unhealthySince !== null) {
+      if (health.unhealthySince != null) {
         const elapsed = now - health.unhealthySince;
         if (elapsed < this.cooldownMs) {
           log.debug(
@@ -93,7 +93,7 @@ export class FailoverProvider implements Provider {
       try {
         const response = await provider.sendMessage(messages, tools, systemPrompt, options);
         // Success — mark healthy
-        if (health.unhealthySince !== null) {
+        if (health.unhealthySince != null) {
           log.info({ provider: provider.name }, 'Provider recovered, marking healthy');
           health.unhealthySince = null;
         }

package/src/providers/model-intents.ts

@@ -0,0 +1,70 @@
+import type { ModelIntent } from './types.js';
+
+const PROVIDER_DEFAULT_MODELS = {
+  anthropic: 'claude-opus-4-6',
+  openai: 'gpt-5.2',
+  gemini: 'gemini-3-flash',
+  ollama: 'llama3.2',
+  fireworks: 'accounts/fireworks/models/kimi-k2p5',
+  openrouter: 'x-ai/grok-4',
+} as const;
+
+type KnownProviderName = keyof typeof PROVIDER_DEFAULT_MODELS;
+
+const PROVIDER_MODEL_INTENTS: Record<KnownProviderName, Record<ModelIntent, string>> = {
+  anthropic: {
+    'latency-optimized': 'claude-haiku-4-5-20251001',
+    'quality-optimized': 'claude-opus-4-6',
+    'vision-optimized': 'claude-sonnet-4-6',
+  },
+  openai: {
+    'latency-optimized': 'gpt-4o-mini',
+    'quality-optimized': 'gpt-5.2',
+    'vision-optimized': 'gpt-4o',
+  },
+  gemini: {
+    'latency-optimized': 'gemini-3-flash',
+    'quality-optimized': 'gemini-3-flash',
+    'vision-optimized': 'gemini-3-flash',
+  },
+  ollama: {
+    'latency-optimized': 'llama3.2',
+    'quality-optimized': 'llama3.2',
+    'vision-optimized': 'llama3.2',
+  },
+  fireworks: {
+    'latency-optimized': 'accounts/fireworks/models/kimi-k2p5',
+    'quality-optimized': 'accounts/fireworks/models/kimi-k2p5',
+    'vision-optimized': 'accounts/fireworks/models/kimi-k2p5',
+  },
+  openrouter: {
+    'latency-optimized': 'x-ai/grok-4',
+    'quality-optimized': 'x-ai/grok-4',
+    'vision-optimized': 'x-ai/grok-4',
+  },
+};
+
+const MODEL_INTENTS = new Set<ModelIntent>([
+  'latency-optimized',
+  'quality-optimized',
+  'vision-optimized',
+]);
+
+export function isModelIntent(value: unknown): value is ModelIntent {
+  return typeof value === 'string' && MODEL_INTENTS.has(value as ModelIntent);
+}
+
+export function getProviderDefaultModel(providerName: string): string {
+  const knownProvider = providerName as KnownProviderName;
+  return PROVIDER_DEFAULT_MODELS[knownProvider] ?? PROVIDER_DEFAULT_MODELS.anthropic;
+}
+
+export function resolveModelIntent(providerName: string, intent: ModelIntent): string {
+  const knownProvider = providerName as KnownProviderName;
+  const providerIntentModels = PROVIDER_MODEL_INTENTS[knownProvider];
+  if (providerIntentModels) {
+    return providerIntentModels[intent];
+  }
+  return getProviderDefaultModel(providerName);
+}
+

package/src/providers/ollama/client.ts

@@ -1,4 +1,5 @@
 import { OpenAIProvider } from '../openai/client.js';
+import { getOllamaBaseUrlEnv } from '../../config/env.js';
 
 export interface OllamaProviderOptions {
   apiKey?: string;
@@ -20,7 +21,7 @@ export class OllamaProvider extends OpenAIProvider {
 }
 
 function resolveBaseUrl(optionBaseUrl?: string): string {
-  for (const candidate of [optionBaseUrl, process.env.OLLAMA_BASE_URL]) {
+  for (const candidate of [optionBaseUrl, getOllamaBaseUrlEnv()]) {
     if (typeof candidate === 'string') {
       const trimmed = candidate.trim();
       if (trimmed.length > 0) return trimmed;