@vellumai/assistant 0.4.18 → 0.4.20

package/src/daemon/tool-side-effects.ts

@@ -10,15 +10,11 @@
 import { join } from 'node:path';
 
 import { updatePublishedAppDeployment } from '../services/published-app-updater.js';
-import { openAppViaSurface } from '../tools/apps/open-proxy.js';
 import type { ToolExecutionResult } from '../tools/types.js';
 import { getWorkspaceDir } from '../util/platform.js';
 import { isDoordashCommand, updateDoordashProgress } from './doordash-steps.js';
 import type { ServerMessage } from './ipc-protocol.js';
-import {
-  refreshSurfacesForApp,
-  surfaceProxyResolver,
-} from './session-surfaces.js';
+import { refreshSurfacesForApp } from './session-surfaces.js';
 import type { ToolSetupContext } from './session-tool-setup.js';
 
 // ── Types ────────────────────────────────────────────────────────────
@@ -37,20 +33,16 @@ export type PostExecutionHook = (
 
 // ── Helpers ──────────────────────────────────────────────────────────
 
-/** Shared logic for refreshing app surfaces, broadcasting changes, and auto-opening. */
+/** Shared logic for refreshing app surfaces, broadcasting changes, and triggering auto-deploy. */
 function handleAppChange(
   ctx: ToolSetupContext,
   appId: string,
   broadcastToAllClients: ((msg: ServerMessage) => void) | undefined,
   opts?: { fileChange?: boolean; status?: string },
 ): void {
-  const refreshed = refreshSurfacesForApp(ctx, appId, opts);
+  refreshSurfacesForApp(ctx, appId, opts);
   broadcastToAllClients?.({ type: 'app_files_changed', appId });
   void updatePublishedAppDeployment(appId);
-  if (!refreshed && !ctx.hasNoClient && !ctx.headlessLock) {
-    const resolver = (tn: string, pi: Record<string, unknown>) => surfaceProxyResolver(ctx, tn, pi);
-    void openAppViaSurface(appId, resolver);
-  }
 }
 
 // ── Registry ─────────────────────────────────────────────────────────
@@ -82,7 +74,6 @@ registerHook('app_create', (_name, _input, result, { ctx, broadcastToAllClients
 });
 
 // Auto-refresh workspace surfaces when a persisted app is updated.
-// If no surface is currently showing the app, auto-open it.
 registerHook('app_update', (_name, input, _result, { ctx, broadcastToAllClients }) => {
   const appId = input.app_id as string | undefined;
   if (appId) {
@@ -109,7 +100,6 @@ registerHook(
 );
 
 // Auto-refresh workspace surfaces when app files are edited.
-// If no surface is currently showing the app, auto-open it.
 registerHook(
   ['app_file_edit', 'app_file_write'],
   (_name, input, _result, { ctx, broadcastToAllClients }) => {

package/src/mcp/client.ts

@@ -30,15 +30,13 @@ export class McpClient {
   private transport: StdioClientTransport | SSEClientTransport | StreamableHTTPClientTransport | null = null;
   private connected = false;
   private oauthProvider: McpOAuthProvider | null = null;
-  private quiet: boolean;
 
   get isConnected(): boolean {
     return this.connected;
   }
 
-  constructor(serverId: string, opts?: { quiet?: boolean }) {
+  constructor(serverId: string) {
     this.serverId = serverId;
-    this.quiet = opts?.quiet ?? false;
     this.client = new Client({
       name: 'vellum-assistant',
       version: '1.0.0',
@@ -61,7 +59,7 @@ export class McpClient {
       }
     }
 
-    if (!this.quiet) console.log(`[MCP] Connecting to server "${this.serverId}"...`);
+    log.info({ serverId: this.serverId }, 'Connecting to MCP server');
     this.transport = this.createTransport(transportConfig);
 
     try {
@@ -82,13 +80,11 @@ export class McpClient {
         if (isAuthError) {
           // Auth-related — user can run `vellum mcp auth <name>` to authenticate.
           log.info({ serverId: this.serverId, err }, 'MCP server requires authentication');
-          if (!this.quiet) console.log(`[MCP] Server "${this.serverId}" requires authentication. Run "vellum mcp auth ${this.serverId}" to authenticate.`);
           return;
         }
 
         // Non-auth error (DNS, TLS, timeout, etc.) — log and re-throw
         log.error({ serverId: this.serverId, err }, 'MCP server connection failed');
-        if (!this.quiet) console.error(`[MCP] Server "${this.serverId}" connection failed: ${err instanceof Error ? err.message : err}`);
         throw err;
       }
 
@@ -96,7 +92,6 @@ export class McpClient {
     }
 
     this.connected = true;
-    if (!this.quiet) console.log(`[MCP] Server "${this.serverId}" connected successfully`);
     log.info({ serverId: this.serverId }, 'MCP client connected');
   }
 

package/src/security/secure-keys.ts

@@ -148,11 +148,25 @@ export function getSecureKey(account: string): string | undefined {
  * Returns `true` on success, `false` on failure.
  */
 export function setSecureKey(account: string, value: string): boolean {
-  return withKeychainFallback(
+  const result = withKeychainFallback(
     () => keychain.setKey(account, value),
     () => encryptedStore.setKey(account, value),
     false,
   );
+  // When writing to the encrypted store after a keychain downgrade, clean up
+  // any stale keychain entry so the gateway's credential-reader (which tries
+  // keychain first) does not read an outdated value.
+  if (result && downgradedFromKeychain && getBackend() === "encrypted") {
+    keychainMissCache.delete(account);
+    try {
+      // Only attempt deletion if the key actually exists in keychain to
+      // avoid spawning a subprocess on every write.
+      if (keychain.getKey(account) !== undefined) {
+        keychain.deleteKey(account);
+      }
+    } catch { /* best-effort */ }
+  }
+  return result;
 }
 
 /**
@@ -278,7 +292,22 @@ export async function setSecureKeyAsync(
   value: string,
 ): Promise<boolean> {
   const backend = await getBackendAsync();
-  if (backend === "encrypted") return encryptedStore.setKey(account, value);
+  if (backend === "encrypted") {
+    const result = encryptedStore.setKey(account, value);
+    // Clean up stale keychain entry (mirrors setSecureKey logic).
+    if (result && downgradedFromKeychain) {
+      keychainMissCache.delete(account);
+      try {
+        // Only attempt deletion if the key actually exists in keychain to
+        // avoid spawning a subprocess on every write.
+        const exists = await keychain.getKeyAsync(account);
+        if (exists !== undefined) {
+          await keychain.deleteKeyAsync(account);
+        }
+      } catch { /* best-effort */ }
+    }
+    return result;
+  }
   if (backend !== "keychain") return false;
 
   const result = await keychain.setKeyAsync(account, value);
@@ -288,7 +317,18 @@ export async function setSecureKeyAsync(
     );
     resolvedBackend = "encrypted";
     downgradedFromKeychain = true;
-    return encryptedStore.setKey(account, value);
+    const fallbackResult = encryptedStore.setKey(account, value);
+    // Clean up stale keychain entry after runtime downgrade
+    if (fallbackResult) {
+      keychainMissCache.delete(account);
+      try {
+        const exists = await keychain.getKeyAsync(account);
+        if (exists !== undefined) {
+          await keychain.deleteKeyAsync(account);
+        }
+      } catch { /* best-effort */ }
+    }
+    return fallbackResult;
   }
   return result;
 }

package/src/tools/apps/definitions.ts

@@ -43,6 +43,11 @@ const appOpenTool: Tool = {
             type: 'string',
             description: 'The ID of the app to open',
           },
+          open_mode: {
+            type: 'string',
+            enum: ['preview', 'workspace'],
+            description: "Display mode. 'preview' shows an inline preview card in chat. 'workspace' opens the full app in a workspace panel. Defaults to 'workspace'.",
+          },
         },
         required: ['app_id'],
       },

package/src/tools/apps/executors.ts

@@ -11,7 +11,6 @@
 import { setHomeBaseAppLink } from '../../home-base/app-link-store.js';
 import type { AppDefinition } from '../../memory/app-store.js';
 import type { EditEngineResult } from '../../memory/app-store.js';
-import { openAppViaSurface } from './open-proxy.js';
 
 // ---------------------------------------------------------------------------
 // Shared result type
@@ -123,33 +122,30 @@ export async function executeAppCreate(
     setHomeBaseAppLink(app.id, 'personalized');
   }
 
-  // Auto-open the app via the shared open-proxy helper
+  // Emit the inline preview card via the proxy without opening a workspace panel.
+  // open_mode: "preview" signals to the client that this should be shown inline only.
   if (autoOpen && proxyToolResolver) {
     const createPreview = { ...(preview ?? {}), context: 'app_create' as const };
-    const extraInput = { preview: createPreview };
-    const openResultText = await openAppViaSurface(app.id, proxyToolResolver, extraInput);
-
-    // Determine whether the open succeeded by checking for the fallback text
-    const opened = openResultText !== 'Failed to auto-open app. Use app_open to open it manually.';
-    if (opened) {
+    const extraInput = { preview: createPreview, open_mode: 'preview' };
+    try {
+      const openResult = await proxyToolResolver('app_open', { app_id: app.id, ...extraInput });
+      if (openResult.isError) {
+        return {
+          content: JSON.stringify({ ...app, auto_opened: false, auto_open_error: openResult.content }),
+          isError: false,
+        };
+      }
+      return {
+        content: JSON.stringify({ ...app, auto_opened: true, open_result: openResult.content }),
+        isError: false,
+      };
+    } catch {
+      // Preview emission failure is non-fatal — the app was created successfully.
       return {
-        content: JSON.stringify({
-          ...app,
-          auto_opened: true,
-          open_result: openResultText,
-        }),
+        content: JSON.stringify({ ...app, auto_opened: false, auto_open_error: 'Failed to auto-open app. Use app_open to open it manually.' }),
         isError: false,
       };
     }
-
-    return {
-      content: JSON.stringify({
-        ...app,
-        auto_opened: false,
-        auto_open_error: openResultText,
-      }),
-      isError: false,
-    };
   }
 
   return { content: JSON.stringify(app), isError: false };

package/src/tools/terminal/safe-env.ts

@@ -6,6 +6,7 @@
  * Shared by the sandbox bash tool and skill sandbox runner.
  */
 import { getGatewayInternalBaseUrl, getIngressPublicBaseUrl } from '../../config/env.js';
+import { isSigningKeyInitialized, mintEdgeRelayToken } from '../../runtime/auth/token-service.js';
 
 const SAFE_ENV_VARS = [
   'PATH',
@@ -42,5 +43,11 @@ export function buildSanitizedEnv(): Record<string, string> {
   // back to the internal base so commands remain functional in local-only mode.
   const publicGatewayBase = getIngressPublicBaseUrl()?.replace(/\/+$/, '');
   env.GATEWAY_BASE_URL = publicGatewayBase || internalGatewayBase;
+  // Mint a short-lived JWT for gateway authentication when the signing key
+  // is available (daemon context). CLI-only contexts without daemon startup
+  // will not have the key initialized — gracefully skip.
+  if (isSigningKeyInitialized()) {
+    env.GATEWAY_AUTH_TOKEN = mintEdgeRelayToken();
+  }
   return env;
 }

package/src/__tests__/response-tier.test.ts

@@ -1,195 +0,0 @@
-import { describe, expect, test } from "bun:test";
-
-import {
-  classifyResponseTierAsync,
-  classifyResponseTierDetailed,
-  resolveWithHint,
-  type SessionTierHint,
-  type TierClassification,
-} from "../daemon/response-tier.js";
-
-// ── classifyResponseTierDetailed ──────────────────────────────────────
-
-describe("classifyResponseTierDetailed", () => {
-  describe("high confidence → high tier", () => {
-    test("long messages (>500 chars)", () => {
-      const result = classifyResponseTierDetailed("x".repeat(501), 0);
-      expect(result.tier).toBe("high");
-      expect(result.confidence).toBe("high");
-    });
-
-    test("code fences", () => {
-      const result = classifyResponseTierDetailed(
-        "Here is some code:\n```\nconst x = 1;\n```",
-        0,
-      );
-      expect(result.tier).toBe("high");
-      expect(result.confidence).toBe("high");
-    });
-
-    test("file paths", () => {
-      const result = classifyResponseTierDetailed("Look at ./src/index.ts", 0);
-      expect(result.tier).toBe("high");
-      expect(result.confidence).toBe("high");
-    });
-
-    test("multi-paragraph", () => {
-      const result = classifyResponseTierDetailed(
-        "First paragraph.\n\nSecond paragraph.",
-        0,
-      );
-      expect(result.tier).toBe("high");
-      expect(result.confidence).toBe("high");
-    });
-
-    test("build keyword imperatives", () => {
-      const result = classifyResponseTierDetailed(
-        "Build a REST API for user management",
-        0,
-      );
-      expect(result.tier).toBe("high");
-      expect(result.confidence).toBe("high");
-    });
-  });
-
-  describe("high confidence → low tier", () => {
-    test("pure greetings under 40 chars", () => {
-      const result = classifyResponseTierDetailed("hey", 0);
-      expect(result.tier).toBe("low");
-      expect(result.confidence).toBe("high");
-    });
-
-    test("short messages without build keywords", () => {
-      const result = classifyResponseTierDetailed("sounds good", 0);
-      expect(result.tier).toBe("low");
-      expect(result.confidence).toBe("high");
-    });
-  });
-
-  describe("low confidence → medium tier", () => {
-    test("questions with build keywords fall to medium/low-confidence", () => {
-      const result = classifyResponseTierDetailed(
-        "how do I build authentication?",
-        0,
-      );
-      expect(result.tier).toBe("medium");
-      expect(result.confidence).toBe("low");
-    });
-
-    test("ambiguous medium-length message", () => {
-      const result = classifyResponseTierDetailed(
-        "what do you think about the current approach to handling errors in the codebase?",
-        0,
-      );
-      expect(result.tier).toBe("medium");
-      expect(result.confidence).toBe("low");
-    });
-  });
-});
-
-// ── resolveWithHint ───────────────────────────────────────────────────
-
-describe("resolveWithHint", () => {
-  const lowConfMedium: TierClassification = {
-    tier: "medium",
-    reason: "default",
-    confidence: "low",
-  };
-  const highConfLow: TierClassification = {
-    tier: "low",
-    reason: "short_no_keywords",
-    confidence: "high",
-  };
-  const highConfHigh: TierClassification = {
-    tier: "high",
-    reason: "build_keyword",
-    confidence: "high",
-  };
-
-  test("high confidence: ignores hint that would downgrade", () => {
-    const hint: SessionTierHint = {
-      tier: "low",
-      turn: 5,
-      timestamp: Date.now(),
-    };
-    expect(resolveWithHint(highConfHigh, hint, 6)).toBe("high");
-  });
-
-  test("high confidence: upgrades when hint is higher", () => {
-    const hint: SessionTierHint = {
-      tier: "medium",
-      turn: 5,
-      timestamp: Date.now(),
-    };
-    expect(resolveWithHint(highConfLow, hint, 6)).toBe("medium");
-  });
-
-  test("high confidence: upgrades to high when hint is high", () => {
-    const hint: SessionTierHint = {
-      tier: "high",
-      turn: 5,
-      timestamp: Date.now(),
-    };
-    expect(resolveWithHint(highConfLow, hint, 6)).toBe("high");
-  });
-
-  test("returns regex tier when no hint available", () => {
-    expect(resolveWithHint(lowConfMedium, null, 0)).toBe("medium");
-  });
-
-  test("defers to hint when confidence is low and hint is fresh", () => {
-    const hint: SessionTierHint = {
-      tier: "high",
-      turn: 5,
-      timestamp: Date.now(),
-    };
-    expect(resolveWithHint(lowConfMedium, hint, 6)).toBe("high");
-  });
-
-  test("ignores stale hint (too many turns old)", () => {
-    const hint: SessionTierHint = {
-      tier: "high",
-      turn: 0,
-      timestamp: Date.now(),
-    };
-    // 5 turns later exceeds HINT_MAX_TURN_AGE of 4
-    expect(resolveWithHint(lowConfMedium, hint, 5)).toBe("medium");
-  });
-
-  test("ignores stale hint (too old by time)", () => {
-    const fiveMinutesAgo = Date.now() - 5 * 60 * 1000 - 1;
-    const hint: SessionTierHint = {
-      tier: "high",
-      turn: 3,
-      timestamp: fiveMinutesAgo,
-    };
-    expect(resolveWithHint(lowConfMedium, hint, 4)).toBe("medium");
-  });
-
-  test("uses hint at exact boundary (4 turns, within time)", () => {
-    const hint: SessionTierHint = {
-      tier: "high",
-      turn: 1,
-      timestamp: Date.now(),
-    };
-    // 5 - 1 = 4, which is not > 4, so hint is still valid
-    expect(resolveWithHint(lowConfMedium, hint, 5)).toBe("high");
-  });
-});
-
-// ── classifyResponseTierAsync ─────────────────────────────────────────
-
-describe("classifyResponseTierAsync", () => {
-  test("returns null when no provider is available", async () => {
-    // getConfiguredProvider returns null when no API key is set
-    // We can't easily mock it here, but we can verify the function handles it
-    const result = await classifyResponseTierAsync(["hello"]);
-    // In test environment without a configured provider, should return null
-    expect(
-      result === undefined ||
-        result === "low" ||
-        result === "medium" ||
-        result === "high",
-    ).toBe(true);
-  });
-});