@vellumai/assistant 0.4.29 → 0.4.30

package/src/tools/tool-approval-handler.ts

@@ -1,8 +1,10 @@
 import { consumeGrantForInvocation } from "../approvals/approval-primitive.js";
+import { isToolAllowedInChannel } from "../config/channel-permission-profiles.js";
 import {
   getCanonicalGuardianRequest,
   updateCanonicalGuardianRequest,
 } from "../memory/canonical-guardian-store.js";
+import { isUntrustedTrustClass } from "../runtime/actor-trust-resolver.js";
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "../runtime/assistant-scope.js";
 import { createOrReuseToolGrantRequest } from "../runtime/tool-grant-request-helper.js";
 import { computeToolApprovalDigest } from "../security/tool-approval-digest.js";
@@ -129,10 +131,6 @@ export async function waitForInlineGrant(
   return { outcome: "timeout", requestId: escalationRequestId };
 }
 
-function isUntrustedTrustClass(role: ToolContext["trustClass"]): boolean {
-  return role === "trusted_contact" || role === "unknown";
-}
-
 function requiresGuardianApprovalForActor(
   toolName: string,
   input: Record<string, unknown>,
@@ -365,6 +363,52 @@ export class ToolApprovalHandler {
       return { allowed: false, result: { content: msg, isError: true } };
     }
 
+    // Enforce channel-scoped permission profiles (deterministic gate).
+    // When the session originates from a Slack channel with a configured
+    // permission profile, blocked tools and category restrictions are
+    // enforced here rather than relying on model compliance with hints.
+    if (
+      context.executionChannel === "slack" &&
+      context.channelPermissionChannelId
+    ) {
+      if (
+        !isToolAllowedInChannel(
+          context.channelPermissionChannelId,
+          name,
+          tool.category,
+        )
+      ) {
+        const msg = `Tool "${name}" is not allowed in this channel per channel permission policy.`;
+        log.warn(
+          {
+            toolName: name,
+            channelId: context.channelPermissionChannelId,
+            category: tool.category,
+            sessionId: context.sessionId,
+            conversationId: context.conversationId,
+            reason: "channel_permission_policy",
+          },
+          "Channel permission policy blocked tool invocation",
+        );
+        const durationMs = Date.now() - startTime;
+        emitLifecycleEvent({
+          type: "permission_denied",
+          toolName: name,
+          executionTarget,
+          input,
+          workingDir: context.workingDir,
+          sessionId: context.sessionId,
+          conversationId: context.conversationId,
+          requestId: context.requestId,
+          riskLevel,
+          decision: "deny",
+          reason: msg,
+          durationMs,
+        });
+        return { allowed: false, result: { content: msg, isError: true } };
+      }
+    }
+
     // All policy gates passed. Now consume the scoped grant if one is
     // required. Deferring consumption to this point ensures a downstream
     // rejection (allowedToolNames, task-run preflight, registry lookup)

package/src/tools/types.ts

@@ -1,4 +1,3 @@
-import type { ProxyApprovalCallback } from "../outbound-proxy/index.js";
 import type { SecretPromptResult } from "../permissions/secret-prompter.js";
 import type {
   AllowlistOption,
@@ -166,6 +165,8 @@ export interface ToolContext {
   requesterExternalUserId?: string;
   /** Chat ID of the requester (non-guardian actor). Used for tool grant request escalation notifications. */
   requesterChatId?: string;
+  /** Slack channel ID for channel-scoped permission enforcement. When set, tools are checked against the channel's permission profile. */
+  channelPermissionChannelId?: string;
 }
 
 export interface DiffInfo {
@@ -200,6 +201,42 @@ export interface ToolExecutionResult {
   yieldToUser?: boolean;
 }
 
+// ---------------------------------------------------------------------------
+// Proxy approval types — local definitions for the outbound-proxy contract.
+// The proxy service owns the canonical shapes; these are the assistant's
+// minimal view of the approval callback interface.
+// ---------------------------------------------------------------------------
+
+/** Approval request from the outbound proxy when a policy decision requires user confirmation. */
+export interface ProxyApprovalRequest {
+  decision: {
+    kind: "ask_missing_credential" | "ask_unauthenticated";
+    target: {
+      hostname: string;
+      port: number | null;
+      path: string;
+      scheme: "http" | "https";
+    };
+    /** Present when kind is "ask_missing_credential". */
+    matchingPatterns?: string[];
+  };
+  sessionId: string;
+}
+
+/** Callback for proxy policy decisions requiring user confirmation. Returns true if approved. */
+export type ProxyApprovalCallback = (
+  request: ProxyApprovalRequest,
+) => Promise<boolean>;
+
+/** Env vars a proxy session injects into child processes. */
+export interface ProxyEnvVars {
+  HTTP_PROXY: string;
+  HTTPS_PROXY: string;
+  NO_PROXY: string;
+  NODE_EXTRA_CA_CERTS?: string;
+  SSL_CERT_FILE?: string;
+}
+
 export interface Tool {
   name: string;
   description: string;

package/src/util/errors.ts

@@ -109,14 +109,18 @@ export class AssistantError extends VellumError {
 }
 
 export class ProviderError extends AssistantError {
+  /** Delay (in ms) suggested by the server's Retry-After header, if present. */
+  public readonly retryAfterMs?: number;
+
   constructor(
     message: string,
     public readonly provider: string,
     public readonly statusCode?: number,
-    options?: { cause?: unknown },
+    options?: { cause?: unknown; retryAfterMs?: number },
   ) {
     super(message, ErrorCode.PROVIDER_ERROR, options);
     this.name = "ProviderError";
+    this.retryAfterMs = options?.retryAfterMs;
   }
 }
 

package/src/util/retry.ts

@@ -125,4 +125,25 @@ export function abortableSleep(
   });
 }
 
+/**
+ * Extract retry-after milliseconds from an SDK error's headers object.
+ * Handles both Map-like (OpenAI: Headers with .get()) and plain-object
+ * (Anthropic: Record<string, string>) header shapes.
+ */
+export function extractRetryAfterMs(headers: unknown): number | undefined {
+  if (!headers) return undefined;
+
+  let raw: string | null | undefined;
+  if (typeof (headers as { get?: unknown }).get === "function") {
+    raw = (headers as { get(k: string): string | null }).get("retry-after");
+  } else if (typeof headers === "object") {
+    raw = (headers as Record<string, string>)["retry-after"];
+  }
+
+  if (typeof raw === "string") {
+    return parseRetryAfterMs(raw);
+  }
+  return undefined;
+}
+
 export { DEFAULT_BASE_DELAY_MS, DEFAULT_MAX_RETRIES };

package/src/watcher/providers/slack.ts

@@ -25,6 +25,20 @@ const log = getLogger("watcher:slack");
  * When `channels` is specified, those channels are monitored for ALL messages
  * (not just mentions). When omitted or empty, the legacy behavior applies:
  * @mentions in the top 20 member channels.
+ *
+ * ## Socket Mode Redundancy
+ *
+ * When the gateway is running with Socket Mode enabled, it already receives
+ * real-time events for @mentions, DMs, and active thread replies. The watcher's
+ * polling is therefore redundant for those event types. Set
+ * `socketModeActive: true` to skip polling for DMs and @mentions that Socket
+ * Mode already covers. The watcher will still poll for configured `channels`
+ * (all-message monitoring) since Socket Mode only forwards messages where the
+ * bot is mentioned or in active threads.
+ *
+ * @deprecated The polling-based watcher for DMs and @mentions is superseded by
+ * Socket Mode in the gateway. Once Socket Mode is confirmed stable, the DM and
+ * mention-polling code paths can be removed entirely.
  */
 interface SlackWatcherConfig {
   /** Channel IDs to watch for all messages (e.g. ["C01234ABCDE"]).
@@ -32,6 +46,12 @@ interface SlackWatcherConfig {
   channels?: string[];
   /** When true, also monitor DMs and group DMs (default: true). */
   includeDMs?: boolean;
+  /**
+   * When true, skip polling for DMs and @mentions since the gateway's Socket
+   * Mode connection already delivers those events in real-time. The watcher
+   * will still poll explicitly configured `channels` for all-message monitoring.
+   */
+  socketModeActive?: boolean;
 }
 
 function messageToItem(
@@ -142,6 +162,13 @@ export const slackProvider: WatcherProvider = {
           ? slackConfig.includeDMs
           : true;
 
+      const socketModeActive = slackConfig.socketModeActive === true;
+      if (socketModeActive) {
+        log.info(
+          "Socket Mode active — skipping DM and @mention polling (handled by gateway)",
+        );
+      }
+
       const authResp = await slack.authTest(token);
       const userId = authResp.user_id;
 
@@ -149,7 +176,8 @@ export const slackProvider: WatcherProvider = {
       let latestTs = watermark;
 
       // ── DM / Group DM polling ──────────────────────────────────────
-      if (includeDMs) {
+      // Skip when Socket Mode is active — the gateway already delivers DM events in real-time.
+      if (includeDMs && !socketModeActive) {
         const convResp = await slack.listConversations(
           token,
           "im,mpim",
@@ -204,8 +232,10 @@ export const slackProvider: WatcherProvider = {
             );
           }
         }
-      } else {
-        // Legacy behavior: check top 20 member channels for @mentions only
+      } else if (!socketModeActive) {
+        // Legacy behavior: check top 20 member channels for @mentions only.
+        // Skipped when Socket Mode is active — the gateway already delivers
+        // app_mention events in real-time.
         const memberConvResp = await slack.listConversations(
           token,
           "public_channel,private_channel",