@vellumai/assistant 0.4.29 → 0.4.30

package/src/config/bundled-skills/tasks/TOOLS.json

@@ -3,7 +3,7 @@
   "tools": [
     {
       "name": "task_save",
-      "description": "Save the current conversation as a reusable task template (definition). This is NOT for adding items to the user's task queue — use task_list_add for that. task_save extracts the conversation pattern into a reusable definition with placeholders that can be run later with different inputs.",
+      "description": "Save the current conversation as a reusable task template (definition). This is NOT for adding items to the user's task queue \u2014 use task_list_add for that. task_save extracts the conversation pattern into a reusable definition with placeholders that can be run later with different inputs.",
       "category": "tasks",
       "risk": "low",
       "input_schema": {
@@ -16,6 +16,10 @@
           "title": {
             "type": "string",
             "description": "Optional override for the auto-generated task title"
+          },
+          "reason": {
+            "type": "string",
+            "description": "Brief non-technical explanation of why this tool is being called"
           }
         },
         "required": []
@@ -42,7 +46,13 @@
           "inputs": {
             "type": "object",
             "description": "Values for template placeholders (e.g. {\"file_path\": \"/tmp/foo.txt\", \"url\": \"https://example.com\"})",
-            "additionalProperties": { "type": "string" }
+            "additionalProperties": {
+              "type": "string"
+            }
+          },
+          "reason": {
+            "type": "string",
+            "description": "Brief non-technical explanation of why this tool is being called"
           }
         }
       },
@@ -56,7 +66,12 @@
       "risk": "low",
       "input_schema": {
         "type": "object",
-        "properties": {}
+        "properties": {
+          "reason": {
+            "type": "string",
+            "description": "Brief non-technical explanation of why this tool is being called"
+          }
+        }
       },
       "executor": "tools/task-list.ts",
       "execution_target": "host"
@@ -71,8 +86,14 @@
         "properties": {
           "task_ids": {
             "type": "array",
-            "items": { "type": "string" },
+            "items": {
+              "type": "string"
+            },
             "description": "One or more task IDs to delete."
+          },
+          "reason": {
+            "type": "string",
+            "description": "Brief non-technical explanation of why this tool is being called"
           }
         },
         "required": ["task_ids"]
@@ -90,10 +111,21 @@
         "properties": {
           "status": {
             "oneOf": [
-              { "type": "string" },
-              { "type": "array", "items": { "type": "string" } }
+              {
+                "type": "string"
+              },
+              {
+                "type": "array",
+                "items": {
+                  "type": "string"
+                }
+              }
             ],
             "description": "Optional status filter. A single status string (e.g. \"queued\") or an array of statuses to include."
+          },
+          "reason": {
+            "type": "string",
+            "description": "Brief non-technical explanation of why this tool is being called"
           }
         }
       },
@@ -102,7 +134,7 @@
     },
     {
       "name": "task_list_add",
-      "description": "Add a task to the user's Task Queue. Use this when the user says \"add to my tasks\", \"add to my queue\", \"put this on my task list\", \"track this task\", or any variation of adding a one-off item they want to remember or work on. You can provide just a title for ad-hoc items, or reference an existing task definition by name or ID. Do NOT use schedule_create or reminder for simple \"add to tasks\" requests — those are for timed/recurring automation only.",
+      "description": "Add a task to the user's Task Queue. Use this when the user says \"add to my tasks\", \"add to my queue\", \"put this on my task list\", \"track this task\", or any variation of adding a one-off item they want to remember or work on. You can provide just a title for ad-hoc items, or reference an existing task definition by name or ID. Do NOT use schedule_create or reminder for simple \"add to tasks\" requests \u2014 those are for timed/recurring automation only.",
       "category": "tasks",
       "risk": "low",
       "input_schema": {
@@ -143,8 +175,14 @@
           },
           "required_tools": {
             "type": "array",
-            "items": { "type": "string" },
-            "description": "Tools the task will need at execution time. Always specify this — think about what tools are needed to accomplish the task (e.g. [\"host_bash\"] for shell commands, [\"host_file_read\", \"host_file_write\"] for file operations, [\"web_search\"] for web lookups). The user must approve these before the task runs. Pass [] if no tools are needed."
+            "items": {
+              "type": "string"
+            },
+            "description": "Tools the task will need at execution time. Always specify this \u2014 think about what tools are needed to accomplish the task (e.g. [\"host_bash\"] for shell commands, [\"host_file_read\", \"host_file_write\"] for file operations, [\"web_search\"] for web lookups). The user must approve these before the task runs. Pass [] if no tools are needed."
+          },
+          "reason": {
+            "type": "string",
+            "description": "Brief non-technical explanation of why this tool is being called"
           }
         }
       },
@@ -185,7 +223,15 @@
           },
           "status": {
             "type": "string",
-            "enum": ["queued", "running", "awaiting_review", "done", "failed", "cancelled", "archived"],
+            "enum": [
+              "queued",
+              "running",
+              "awaiting_review",
+              "done",
+              "failed",
+              "cancelled",
+              "archived"
+            ],
             "description": "New status for the work item. To mark a task as done, it must currently be in 'awaiting_review' status."
           },
           "sort_index": {
@@ -194,16 +240,28 @@
           },
           "filter_priority_tier": {
             "type": "number",
-            "description": "Disambiguation filter: narrow by current priority tier (0=high, 1=medium, 2=low) when multiple items share the same title/task_id. This identifies WHICH item to update — it is NOT the new priority value."
+            "description": "Disambiguation filter: narrow by current priority tier (0=high, 1=medium, 2=low) when multiple items share the same title/task_id. This identifies WHICH item to update \u2014 it is NOT the new priority value."
           },
           "filter_status": {
             "type": "string",
-            "enum": ["queued", "running", "awaiting_review", "failed", "cancelled", "done", "archived"],
+            "enum": [
+              "queued",
+              "running",
+              "awaiting_review",
+              "failed",
+              "cancelled",
+              "done",
+              "archived"
+            ],
             "description": "Disambiguation filter: narrow by current status when multiple items share the same title/task_id."
           },
           "created_order": {
             "type": "number",
             "description": "Disambiguation filter: pick the Nth oldest match (1 = oldest, 2 = second oldest, etc.) when multiple items share the same title/task_id."
+          },
+          "reason": {
+            "type": "string",
+            "description": "Brief non-technical explanation of why this tool is being called"
           }
         }
       },
@@ -240,12 +298,22 @@
           },
           "status": {
             "type": "string",
-            "enum": ["queued", "running", "awaiting_review", "failed", "cancelled"],
+            "enum": [
+              "queued",
+              "running",
+              "awaiting_review",
+              "failed",
+              "cancelled"
+            ],
             "description": "Disambiguator: filter by work item status"
           },
           "created_order": {
             "type": "number",
             "description": "Disambiguator: 1-indexed creation order among matches (1 = oldest, 2 = second oldest, etc.)"
+          },
+          "reason": {
+            "type": "string",
+            "description": "Brief non-technical explanation of why this tool is being called"
           }
         }
       },
@@ -254,7 +322,7 @@
     },
     {
       "name": "task_queue_run",
-      "description": "Run a task from the Task Queue in the background. Use this when the user says \"run this task\", \"execute this task\", \"start this task\", or wants to kick off a queued work item. The task runs asynchronously — the user can continue chatting while it executes. Required tool permissions are auto-approved since the user is explicitly requesting execution.",
+      "description": "Run a task from the Task Queue in the background. Use this when the user says \"run this task\", \"execute this task\", \"start this task\", or wants to kick off a queued work item. The task runs asynchronously \u2014 the user can continue chatting while it executes. Required tool permissions are auto-approved since the user is explicitly requesting execution.",
       "category": "tasks",
       "risk": "medium",
       "input_schema": {
@@ -271,6 +339,10 @@
           "title": {
             "type": "string",
             "description": "Work item title to search for (case-insensitive substring match)"
+          },
+          "reason": {
+            "type": "string",
+            "description": "Brief non-technical explanation of why this tool is being called"
           }
         }
       },

package/src/config/bundled-skills/transcribe/TOOLS.json

@@ -21,6 +21,10 @@
             "type": "string",
             "enum": ["api", "local"],
             "description": "Transcription backend: 'api' for OpenAI Whisper API (cloud), 'local' for whisper.cpp (on-device)"
+          },
+          "reason": {
+            "type": "string",
+            "description": "Brief non-technical explanation of why this tool is being called"
           }
         },
         "required": ["mode"]

package/src/config/bundled-skills/watcher/TOOLS.json

@@ -32,6 +32,10 @@
           "config": {
             "type": "object",
             "description": "Provider-specific configuration (e.g. filter criteria)"
+          },
+          "reason": {
+            "type": "string",
+            "description": "Brief non-technical explanation of why this tool is being called"
           }
         },
         "required": ["name", "provider", "action_prompt"]
@@ -54,6 +58,10 @@
           "enabled_only": {
             "type": "boolean",
             "description": "When true, only show enabled watchers. Defaults to false."
+          },
+          "reason": {
+            "type": "string",
+            "description": "Brief non-technical explanation of why this tool is being called"
           }
         },
         "required": []
@@ -92,6 +100,10 @@
           "config": {
             "type": "object",
             "description": "New provider-specific configuration"
+          },
+          "reason": {
+            "type": "string",
+            "description": "Brief non-technical explanation of why this tool is being called"
           }
         },
         "required": ["watcher_id"]
@@ -110,6 +122,10 @@
           "watcher_id": {
             "type": "string",
             "description": "The ID of the watcher to delete"
+          },
+          "reason": {
+            "type": "string",
+            "description": "Brief non-technical explanation of why this tool is being called"
           }
         },
         "required": ["watcher_id"]
@@ -136,6 +152,10 @@
           "limit": {
             "type": "number",
             "description": "Maximum number of events to return. Defaults to 50."
+          },
+          "reason": {
+            "type": "string",
+            "description": "Brief non-technical explanation of why this tool is being called"
           }
         },
         "required": []

package/src/config/bundled-skills/weather/TOOLS.json

@@ -21,6 +21,10 @@
           "days": {
             "type": "number",
             "description": "Number of forecast days to return (1-16, default: 10)"
+          },
+          "reason": {
+            "type": "string",
+            "description": "Brief non-technical explanation of why this tool is being called"
           }
         },
         "required": ["location"]

package/src/config/bundled-tool-registry.ts

@@ -146,6 +146,7 @@ import * as scheduleUpdate from "./bundled-skills/schedule/tools/schedule-update
 // ── slack ────────────────────────────────────────────────────────────────────
 import * as slackAddReaction from "./bundled-skills/slack/tools/slack-add-reaction.js";
 import * as slackChannelDetails from "./bundled-skills/slack/tools/slack-channel-details.js";
+import * as slackChannelPermissions from "./bundled-skills/slack/tools/slack-channel-permissions.js";
 import * as slackConfigureChannels from "./bundled-skills/slack/tools/slack-configure-channels.js";
 import * as slackDeleteMessage from "./bundled-skills/slack/tools/slack-delete-message.js";
 import * as slackLeaveChannel from "./bundled-skills/slack/tools/slack-leave-channel.js";
@@ -345,6 +346,7 @@ export const bundledToolRegistry = new Map<string, SkillToolScript>([
   ["slack:tools/slack-add-reaction.ts", slackAddReaction],
   ["slack:tools/slack-delete-message.ts", slackDeleteMessage],
   ["slack:tools/slack-leave-channel.ts", slackLeaveChannel],
+  ["slack:tools/slack-channel-permissions.ts", slackChannelPermissions],
 
   // subagent
   ["subagent:tools/subagent-spawn.ts", subagentSpawn],

package/src/config/channel-permission-profiles.ts

@@ -0,0 +1,155 @@
+/**
+ * Channel-scoped permission profiles.
+ *
+ * Maps Slack channel IDs to permission/trust overrides. When processing
+ * an inbound message from a channel, the permission profile is looked up
+ * to determine which tools are available, what trust level applies, etc.
+ *
+ * Permission profiles are stored in the Slack skill config section:
+ *   skills.entries.slack.config.channelPermissions
+ *
+ * Each entry maps a channel ID to a ChannelPermissionProfile.
+ */
+
+import { getConfig, saveConfig } from "./loader.js";
+
+// ── Types ───────────────────────────────────────────────────────────
+
+export interface ChannelPermissionProfile {
+  /** Human-readable label for this channel's permission set. */
+  label?: string;
+  /** Tool categories allowed in this channel. When set, only tools in these
+   *  categories can be invoked. Empty array means no tool restrictions. */
+  allowedToolCategories?: string[];
+  /** Specific tool names blocked in this channel, regardless of category. */
+  blockedTools?: string[];
+  /** Trust level override for messages from this channel.
+   *  "restricted" limits tool access; "standard" uses defaults. */
+  trustLevel?: "restricted" | "standard";
+}
+
+export type ChannelPermissionMap = Record<string, ChannelPermissionProfile>;
+
+// ── Config accessors ────────────────────────────────────────────────
+
+/**
+ * Get all channel permission mappings from config.
+ */
+export function getChannelPermissions(): ChannelPermissionMap {
+  const config = getConfig();
+  const perms = config.skills?.entries?.slack?.config?.channelPermissions;
+  if (perms && typeof perms === "object" && !Array.isArray(perms)) {
+    return perms as ChannelPermissionMap;
+  }
+  return {};
+}
+
+/**
+ * Get the permission profile for a specific channel.
+ * Returns null if no profile is configured for the channel.
+ */
+export function getChannelPermissionProfile(
+  channelId: string,
+): ChannelPermissionProfile | null {
+  const perms = getChannelPermissions();
+  return perms[channelId] ?? null;
+}
+
+/**
+ * Set the permission profile for a specific channel.
+ */
+export function setChannelPermissionProfile(
+  channelId: string,
+  profile: ChannelPermissionProfile,
+): void {
+  const config = getConfig();
+  if (!config.skills) config.skills = {} as typeof config.skills;
+  if (!config.skills.entries) config.skills.entries = {};
+  if (!config.skills.entries.slack)
+    config.skills.entries.slack = { enabled: true };
+  if (!config.skills.entries.slack.config)
+    config.skills.entries.slack.config = {};
+
+  const existing =
+    (config.skills.entries.slack.config.channelPermissions as
+      | ChannelPermissionMap
+      | undefined) ?? {};
+  existing[channelId] = profile;
+  config.skills.entries.slack.config.channelPermissions = existing;
+  saveConfig(config);
+}
+
+/**
+ * Remove the permission profile for a specific channel.
+ * Returns true if a profile was removed, false if none existed.
+ */
+export function removeChannelPermissionProfile(channelId: string): boolean {
+  const config = getConfig();
+  const perms = config.skills?.entries?.slack?.config?.channelPermissions as
+    | ChannelPermissionMap
+    | undefined;
+  if (!perms || !(channelId in perms)) return false;
+
+  delete perms[channelId];
+  config.skills!.entries!.slack!.config!.channelPermissions = perms;
+  saveConfig(config);
+  return true;
+}
+
+/**
+ * Replace all channel permission profiles at once.
+ */
+export function setAllChannelPermissions(
+  permissions: ChannelPermissionMap,
+): void {
+  const config = getConfig();
+  if (!config.skills) config.skills = {} as typeof config.skills;
+  if (!config.skills.entries) config.skills.entries = {};
+  if (!config.skills.entries.slack)
+    config.skills.entries.slack = { enabled: true };
+  if (!config.skills.entries.slack.config)
+    config.skills.entries.slack.config = {};
+
+  config.skills.entries.slack.config.channelPermissions = permissions;
+  saveConfig(config);
+}
+
+// ── Permission resolution ───────────────────────────────────────────
+
+/**
+ * Check whether a specific tool is allowed in a channel.
+ * If no permission profile exists for the channel, all tools are allowed.
+ */
+export function isToolAllowedInChannel(
+  channelId: string,
+  toolName: string,
+  toolCategory?: string,
+): boolean {
+  const profile = getChannelPermissionProfile(channelId);
+  if (!profile) return true;
+
+  // Check explicit block list first
+  if (profile.blockedTools?.includes(toolName)) return false;
+
+  // Check allowed categories (if specified)
+  if (
+    profile.allowedToolCategories &&
+    profile.allowedToolCategories.length > 0
+  ) {
+    if (!toolCategory) return false;
+    return profile.allowedToolCategories.includes(toolCategory);
+  }
+
+  return true;
+}
+
+/**
+ * Get the effective trust level for a channel.
+ * Returns "standard" if no profile or no override is configured.
+ */
+export function getChannelTrustLevel(
+  channelId: string,
+): "restricted" | "standard" {
+  const profile = getChannelPermissionProfile(channelId);
+  return profile?.trustLevel ?? "standard";
+}

package/src/config/env.ts

@@ -57,11 +57,14 @@ export function getGatewayPort(): number {
 
 /**
  * Resolve the gateway base URL for internal service-to-service calls.
- * Prefers GATEWAY_INTERNAL_BASE_URL if set, otherwise derives from port.
+ * Prefers GATEWAY_INTERNAL_BASE_URL if set, then INTERNAL_GATEWAY_BASE_URL
+ * (used by skill subprocesses), otherwise derives from port.
  */
 export function getGatewayInternalBaseUrl(): string {
   const explicit = str("GATEWAY_INTERNAL_BASE_URL");
   if (explicit) return explicit.replace(/\/+$/, "");
+  const skillInjected = str("INTERNAL_GATEWAY_BASE_URL");
+  if (skillInjected) return skillInjected.replace(/\/+$/, "");
   return `http://127.0.0.1:${getGatewayPort()}`;
 }