@vellumai/assistant 0.4.37 → 0.4.41

package/src/amazon/client.ts

@@ -53,10 +53,14 @@ import type {
   ExtensionResponse,
 } from "../browser-extension-relay/protocol.js";
 import { extensionRelayServer } from "../browser-extension-relay/server.js";
-import { isSigningKeyInitialized } from "../runtime/auth/token-service.js";
+import {
+  initAuthSigningKey,
+  isSigningKeyInitialized,
+  loadOrCreateSigningKey,
+} from "../runtime/auth/token-service.js";
 import { gatewayPost } from "../runtime/gateway-internal-client.js";
 import type { ExtractedCredential } from "../tools/browser/network-recording-types.js";
-import { type AmazonSession, loadSession } from "./session.js";
+import { type AmazonSession, loadSession, saveSession } from "./session.js";
 
 export const AMAZON_BASE = "https://www.amazon.com";
 
@@ -81,12 +85,10 @@ export async function sendRelayCommand(
 
   // Fall back to HTTP relay endpoint via the gateway.
   // The gateway validates edge JWTs (aud=vellum-gateway) and mints an
-  // exchange token for the runtime. Without the signing key (CLI
-  // out-of-process), we cannot mint JWTs at all.
+  // exchange token for the runtime. In CLI out-of-process contexts the
+  // signing key may not be initialized yet — load it from disk.
   if (!isSigningKeyInitialized()) {
-    throw new Error(
-      "Auth signing key not initialized — browser-relay commands require the daemon to be running",
-    );
+    initAuthSigningKey(loadOrCreateSigningKey());
   }
 
   const { data } = await gatewayPost<ExtensionResponse>(
@@ -358,6 +360,86 @@ export interface PlaceOrderResult {
   estimatedDelivery?: string;
 }
 
+// ---------------------------------------------------------------------------
+// Session refresh via browser extension relay
+// ---------------------------------------------------------------------------
+
+/**
+ * Refresh the Amazon session by grabbing cookies directly from Chrome
+ * via the browser extension relay's `get_cookies` action.
+ *
+ * Much faster than the CDP-based Ride Shotgun flow — no separate Chrome
+ * instance, no recording. Requires the extension to be loaded and connected.
+ */
+export async function refreshSessionFromExtension(): Promise<AmazonSession> {
+  const resp = await sendRelayCommand({
+    action: "get_cookies",
+    domain: "amazon.com",
+  });
+
+  if (!resp.success) {
+    throw new Error(
+      `Failed to get cookies from browser extension: ${resp.error ?? "unknown error"}`,
+    );
+  }
+
+  const chromeCookies = resp.result as Array<{
+    name: string;
+    value: string;
+    domain: string;
+    path: string;
+    httpOnly: boolean;
+    secure: boolean;
+    expirationDate?: number;
+  }>;
+
+  if (!chromeCookies?.length) {
+    throw new Error(
+      "No Amazon cookies found in Chrome. " +
+        "Make sure you are signed into Amazon in Chrome.",
+    );
+  }
+
+  const cookies: ExtractedCredential[] = chromeCookies.map((c) => ({
+    name: c.name,
+    value: c.value,
+    domain: c.domain,
+    path: c.path || "/",
+    httpOnly: c.httpOnly,
+    secure: c.secure,
+    expires: c.expirationDate ? Math.floor(c.expirationDate) : undefined,
+  }));
+
+  // Validate required cookies
+  const cookieNames = new Set(cookies.map((c) => c.name));
+  if (!cookieNames.has("session-id")) {
+    throw new Error(
+      "Chrome cookies are missing required Amazon cookie: session-id. " +
+        "Make sure you are signed into Amazon in Chrome.",
+    );
+  }
+  if (!cookieNames.has("ubid-main")) {
+    throw new Error(
+      "Chrome cookies are missing required Amazon cookie: ubid-main. " +
+        "Make sure you are signed into Amazon in Chrome.",
+    );
+  }
+  if (!cookieNames.has("at-main") && !cookieNames.has("x-main")) {
+    throw new Error(
+      "Chrome cookies are missing required Amazon auth cookie (at-main or x-main). " +
+        "Make sure you are fully signed into Amazon in Chrome.",
+    );
+  }
+
+  const session: AmazonSession = {
+    cookies,
+    importedAt: new Date().toISOString(),
+  };
+
+  saveSession(session);
+  return session;
+}
+
 // ---------------------------------------------------------------------------
 // Re-export public API from submodules
 // ---------------------------------------------------------------------------

package/src/approvals/guardian-request-resolvers.ts

@@ -13,7 +13,7 @@
 
 import { answerCall } from "../calls/call-domain.js";
 import { getGatewayInternalBaseUrl } from "../config/env.js";
-import { upsertMember } from "../contacts/contacts-write.js";
+import { upsertContactChannel } from "../contacts/contacts-write.js";
 import {
   type CanonicalGuardianRequest,
   getCanonicalGuardianRequest,
@@ -459,7 +459,7 @@ const accessRequestResolver: GuardianRequestResolver = {
     // relay server's in-call wait loop will detect the approved status.
     if (channel === "voice") {
       try {
-        upsertMember({
+        upsertContactChannel({
           sourceChannel: "voice",
           externalUserId: requesterExternalUserId,
           externalChatId: requesterChatId,

package/src/bundler/app-bundler.ts

@@ -14,9 +14,10 @@ import { extname, join } from "node:path";
 import archiver from "archiver";
 import JSZip from "jszip";
 
-import { getApp, getAppsDir } from "../memory/app-store.js";
+import { getApp, getAppsDir, isMultifileApp } from "../memory/app-store.js";
 import { computeContentId } from "../util/content-id.js";
 import { getLogger } from "../util/logger.js";
+import { compileApp } from "./app-compiler.js";
 import type { SigningCallback } from "./bundle-signer.js";
 import { signBundle } from "./bundle-signer.js";
 import type { AppManifest } from "./manifest.js";
@@ -194,13 +195,15 @@ export async function packageApp(
     throw new Error(`App not found: ${appId}`);
   }
 
+  const multifile = isMultifileApp(app);
+
   // Build manifest
   const createdBy = `vellum-assistant/${PACKAGE_VERSION}`;
   const version = app.version ?? "1.0.0";
   const contentId = computeContentId(app.name);
 
   const manifest: AppManifest = {
-    format_version: 1,
+    format_version: multifile ? 2 : 1,
     name: app.name,
     ...(app.description ? { description: app.description } : {}),
     ...(app.icon ? { icon: app.icon } : {}),
@@ -213,28 +216,63 @@ export async function packageApp(
     content_id: contentId,
   };
 
-  // Fetch remote assets and rewrite HTML to reference local copies
-  const { rewrittenHtml, assets: fetchedAssets } = await materializeAssets(
-    app.htmlDefinition,
-  );
-
-  // Also materialize assets in additional pages
+  // For multifile apps, compile first then bundle the dist/ output.
+  // For legacy apps, materialize remote assets and bundle the HTML directly.
+  let rewrittenHtml = "";
+  let allAssets: FetchedAsset[] = [];
   const rewrittenPages: Record<string, string> = {};
-  const pageAssets: FetchedAsset[] = [];
-  if (app.pages) {
-    for (const [filename, content] of Object.entries(app.pages)) {
-      const result = await materializeAssets(content);
-      rewrittenPages[filename] = result.rewrittenHtml;
-      pageAssets.push(...result.assets);
+  const compiledFiles: { name: string; data: Buffer }[] = [];
+
+  if (multifile) {
+    const appDir = join(getAppsDir(), appId);
+    const compileResult = await compileApp(appDir);
+    if (!compileResult.ok) {
+      const messages = compileResult.errors
+        .map((e) => {
+          const loc = e.location
+            ? ` (${e.location.file}:${e.location.line}:${e.location.column})`
+            : "";
+          return `${e.text}${loc}`;
+        })
+        .join("\n");
+      throw new Error(`Compilation failed for app "${app.name}":\n${messages}`);
+    }
+
+    const distDir = join(appDir, "dist");
+    const indexHtml = await readFile(join(distDir, "index.html"), "utf-8");
+    const mainJs = await readFile(join(distDir, "main.js"));
+
+    compiledFiles.push({ name: "index.html", data: Buffer.from(indexHtml) });
+    compiledFiles.push({ name: "main.js", data: mainJs });
+
+    // main.css is optional — only produced when the app imports CSS
+    const cssPath = join(distDir, "main.css");
+    if (existsSync(cssPath)) {
+      compiledFiles.push({ name: "main.css", data: await readFile(cssPath) });
+    }
+  } else {
+    // Legacy path: fetch remote assets and rewrite HTML
+    const materialized = await materializeAssets(app.htmlDefinition);
+    rewrittenHtml = materialized.rewrittenHtml;
+    const fetchedAssets = materialized.assets;
+
+    // Also materialize assets in additional pages
+    const pageAssets: FetchedAsset[] = [];
+    if (app.pages) {
+      for (const [filename, content] of Object.entries(app.pages)) {
+        const result = await materializeAssets(content);
+        rewrittenPages[filename] = result.rewrittenHtml;
+        pageAssets.push(...result.assets);
+      }
     }
-  }
 
-  // Deduplicate assets by archive path
-  const allAssetsMap = new Map<string, FetchedAsset>();
-  for (const asset of [...fetchedAssets, ...pageAssets]) {
-    allAssetsMap.set(asset.archivePath, asset);
+    // Deduplicate assets by archive path
+    const allAssetsMap = new Map<string, FetchedAsset>();
+    for (const asset of [...fetchedAssets, ...pageAssets]) {
+      allAssetsMap.set(asset.archivePath, asset);
+    }
+    allAssets = [...allAssetsMap.values()];
   }
-  const allAssets = [...allAssetsMap.values()];
 
   // Create the zip archive
   const safeName = app.name.replace(/[/\\:*?"<>|]/g, "_").trim() || "App";
@@ -264,20 +302,27 @@ export async function packageApp(
     // Add manifest.json at root level
     archive.append(serializeManifest(manifest), { name: "manifest.json" });
 
-    // Add index.html at root level
-    archive.append(rewrittenHtml, { name: "index.html" });
-
-    // Add additional pages alongside index.html (with rewritten asset URLs)
-    if (app.pages) {
-      for (const filename of Object.keys(app.pages)) {
-        const content = rewrittenPages[filename] ?? app.pages[filename];
-        archive.append(content, { name: filename });
+    if (multifile) {
+      // Add compiled dist/ files
+      for (const file of compiledFiles) {
+        archive.append(file.data, { name: file.name });
+      }
+    } else {
+      // Add index.html at root level
+      archive.append(rewrittenHtml, { name: "index.html" });
+
+      // Add additional pages alongside index.html (with rewritten asset URLs)
+      if (app.pages) {
+        for (const filename of Object.keys(app.pages)) {
+          const content = rewrittenPages[filename] ?? app.pages[filename];
+          archive.append(content, { name: filename });
+        }
       }
-    }
 
-    // Add fetched remote assets
-    for (const asset of allAssets) {
-      archive.append(asset.data, { name: asset.archivePath });
+      // Add fetched remote assets
+      for (const asset of allAssets) {
+        archive.append(asset.data, { name: asset.archivePath });
+      }
     }
 
     // Include app icon if one was generated

package/src/bundler/app-compiler.ts

@@ -0,0 +1,195 @@
+/**
+ * esbuild wrapper for compiling multi-file TSX apps.
+ *
+ * Compiles src/main.tsx → dist/main.js, copies index.html with
+ * script/style tag injection, and returns structured diagnostics.
+ */
+
+import { existsSync, rmSync } from "node:fs";
+import { mkdir, readdir, readFile, writeFile } from "node:fs/promises";
+import { join, resolve } from "node:path";
+
+import { build, type Message, type Plugin } from "esbuild";
+
+import { getLogger } from "../util/logger.js";
+import {
+  ALLOWED_PACKAGES,
+  getCacheDir,
+  isBareImport,
+  packageName,
+  resolvePackage,
+} from "./package-resolver.js";
+
+const log = getLogger("app-compiler");
+
+export interface CompileDiagnostic {
+  text: string;
+  location?: { file: string; line: number; column: number };
+}
+
+export interface CompileResult {
+  ok: boolean;
+  errors: CompileDiagnostic[];
+  warnings: CompileDiagnostic[];
+  durationMs: number;
+}
+
+function mapDiagnostics(messages: Message[]): CompileDiagnostic[] {
+  return messages.map((msg) => ({
+    text: msg.text,
+    ...(msg.location
+      ? {
+          location: {
+            file: msg.location.file,
+            line: msg.location.line,
+            column: msg.location.column,
+          },
+        }
+      : {}),
+  }));
+}
+
+/**
+ * Compile a TSX app from appDir/src/ into appDir/dist/.
+ *
+ * Expects appDir/src/main.tsx as the entry point and appDir/src/index.html
+ * as the HTML shell. Produces appDir/dist/main.js and appDir/dist/index.html
+ * (with script and optional stylesheet tags injected).
+ */
+export async function compileApp(appDir: string): Promise<CompileResult> {
+  const start = performance.now();
+  const srcDir = join(appDir, "src");
+  const distDir = join(appDir, "dist");
+  const entryPoint = join(srcDir, "main.tsx");
+
+  // Clear stale dist/ output so removed assets (e.g. CSS) don't persist
+  if (existsSync(distDir)) {
+    rmSync(distDir, { recursive: true, force: true });
+  }
+  await mkdir(distDir, { recursive: true });
+
+  // Resolve preact from the assistant's own node_modules so per-app
+  // directories don't need their own copy.
+  const preactDir = resolve(
+    import.meta.dirname ?? __dirname,
+    "../../node_modules/preact",
+  );
+
+  // Plugin that resolves bare third-party imports against the allowlist
+  const resolvePlugin: Plugin = {
+    name: "vellum-package-resolver",
+    setup(pluginBuild) {
+      pluginBuild.onResolve({ filter: /.*/ }, async (args) => {
+        // Only intercept bare specifiers (not relative, not preact/react aliases)
+        if (
+          args.kind !== "import-statement" &&
+          args.kind !== "dynamic-import"
+        ) {
+          return undefined;
+        }
+        if (!isBareImport(args.path)) return undefined;
+
+        const pkg = packageName(args.path);
+        const nodeModulesDir = await resolvePackage(pkg);
+
+        if (nodeModulesDir) {
+          // Let esbuild resolve normally — nodePaths will pick it up
+          return undefined;
+        }
+
+        // Not allowed — produce a clear error
+        return {
+          errors: [
+            {
+              text: `Package '${pkg}' is not in the allowed list. Allowed: ${ALLOWED_PACKAGES.join(", ")}`,
+            },
+          ],
+        };
+      });
+    },
+  };
+
+  const cacheNodeModules = join(getCacheDir(), "node_modules");
+
+  let result;
+  try {
+    result = await build({
+      entryPoints: [entryPoint],
+      bundle: true,
+      minify: true,
+      sourcemap: false,
+      outdir: distDir,
+      format: "esm",
+      target: ["es2022"],
+      jsx: "automatic",
+      jsxImportSource: "preact",
+      loader: {
+        ".tsx": "tsx",
+        ".ts": "ts",
+        ".jsx": "jsx",
+        ".js": "js",
+        ".css": "css",
+      },
+      alias: {
+        react: "preact/compat",
+        "react-dom": "preact/compat",
+      },
+      plugins: [resolvePlugin],
+      // Point esbuild at assistant's preact and at the shared package cache
+      nodePaths: [resolve(preactDir, ".."), cacheNodeModules],
+      logLevel: "silent",
+    });
+  } catch (err: unknown) {
+    // esbuild throws on hard failures (e.g. syntax errors) with .errors/.warnings
+    const esbuildErr = err as {
+      errors?: Message[];
+      warnings?: Message[];
+    };
+    const durationMs = Math.round(performance.now() - start);
+    const errors = mapDiagnostics(esbuildErr.errors ?? []);
+    const warnings = mapDiagnostics(esbuildErr.warnings ?? []);
+    log.info({ durationMs, errorCount: errors.length }, "Build failed");
+    return { ok: false, errors, warnings, durationMs };
+  }
+
+  const errors = mapDiagnostics(result.errors);
+  const warnings = mapDiagnostics(result.warnings);
+
+  if (errors.length > 0) {
+    const durationMs = Math.round(performance.now() - start);
+    log.info({ durationMs, errorCount: errors.length }, "Build failed");
+    return { ok: false, errors, warnings, durationMs };
+  }
+
+  // Copy index.html and inject script/style tags
+  const htmlSrc = join(srcDir, "index.html");
+  if (existsSync(htmlSrc)) {
+    let html = await readFile(htmlSrc, "utf-8");
+
+    // Check if CSS output was produced
+    const distFiles = await readdir(distDir);
+    const hasCss = distFiles.some((f) => f.endsWith(".css"));
+
+    // Inject stylesheet link into <head> if CSS exists and not already present
+    if (hasCss && !html.includes('href="main.css"')) {
+      html = html.replace(
+        "</head>",
+        '  <link rel="stylesheet" href="main.css">\n  </head>',
+      );
+    }
+
+    // Inject script tag before </body> if not already present
+    if (!html.includes('src="main.js"')) {
+      html = html.replace(
+        "</body>",
+        '  <script type="module" src="main.js"></script>\n  </body>',
+      );
+    }
+
+    await writeFile(join(distDir, "index.html"), html);
+  }
+
+  const durationMs = Math.round(performance.now() - start);
+  log.info({ durationMs }, "Build succeeded");
+  return { ok: true, errors, warnings, durationMs };
+}

package/src/bundler/manifest.ts

@@ -3,7 +3,7 @@
  */
 
 export interface AppManifest {
-  format_version: number; // always 1
+  format_version: number; // 1 = legacy single-HTML; 2 = multi-file TSX (future PR)
   name: string;
   description?: string;
   icon?: string; // single emoji

package/src/bundler/package-resolver.ts

@@ -0,0 +1,185 @@
+/**
+ * Third-party package resolver with an allowlist for app builds.
+ *
+ * Maintains a shared cache at ~/.vellum/package-cache/ so packages are
+ * installed once and reused across all app compilations.
+ */
+
+import { existsSync } from "node:fs";
+import { mkdir, stat } from "node:fs/promises";
+import { homedir } from "node:os";
+import { join } from "node:path";
+
+import { getLogger } from "../util/logger.js";
+
+const log = getLogger("package-resolver");
+
+/** Packages the model is likely to use and that we trust in sandboxed apps. */
+export const ALLOWED_PACKAGES: readonly string[] = [
+  "date-fns",
+  "chart.js",
+  "lodash-es",
+  "zod",
+  "clsx",
+  "lucide",
+] as const;
+
+const INSTALL_TIMEOUT_MS = 10_000;
+const MAX_PACKAGE_SIZE_BYTES = 5 * 1024 * 1024; // 5 MB
+
+/** In-flight install promises keyed by package name, to deduplicate concurrent requests. */
+const inflight = new Map<string, Promise<string | null>>();
+
+/** Where all cached packages live on disk. */
+export function getCacheDir(): string {
+  return join(homedir(), ".vellum", "package-cache");
+}
+
+/**
+ * Return true when `name` is a bare specifier that our plugin should handle
+ * (i.e. not a relative/absolute path, not preact/react which are aliased).
+ */
+export function isBareImport(name: string): boolean {
+  if (name.startsWith(".") || name.startsWith("/")) return false;
+  if (
+    name.startsWith("preact") ||
+    name.startsWith("react") ||
+    name.startsWith("react-dom")
+  ) {
+    return false;
+  }
+  return true;
+}
+
+/** Get the top-level package name from a specifier (handles scoped pkgs). */
+export function packageName(specifier: string): string {
+  if (specifier.startsWith("@")) {
+    const parts = specifier.split("/");
+    return parts.slice(0, 2).join("/");
+  }
+  return specifier.split("/")[0];
+}
+
+/**
+ * Resolve a third-party package from the shared cache.
+ *
+ * Returns the path to the package inside node_modules, or null if the
+ * package is not allowed or installation failed.
+ */
+export async function resolvePackage(name: string): Promise<string | null> {
+  const pkg = packageName(name);
+
+  if (!ALLOWED_PACKAGES.includes(pkg)) {
+    return null;
+  }
+
+  const cacheDir = getCacheDir();
+  const nodeModulesDir = join(cacheDir, "node_modules");
+  const pkgDir = join(nodeModulesDir, pkg);
+
+  // Already cached — skip install
+  if (existsSync(pkgDir)) {
+    return nodeModulesDir;
+  }
+
+  // Deduplicate concurrent install requests for the same package
+  const existing = inflight.get(pkg);
+  if (existing) {
+    return existing;
+  }
+
+  const promise = installPackage(pkg, cacheDir, nodeModulesDir, pkgDir);
+  inflight.set(pkg, promise);
+  try {
+    return await promise;
+  } finally {
+    inflight.delete(pkg);
+  }
+}
+
+async function installPackage(
+  pkg: string,
+  cacheDir: string,
+  nodeModulesDir: string,
+  pkgDir: string,
+): Promise<string | null> {
+  // Ensure cache directory exists with a package.json so bun install works
+  await mkdir(cacheDir, { recursive: true });
+  const pkgJsonPath = join(cacheDir, "package.json");
+  if (!existsSync(pkgJsonPath)) {
+    const { writeFile } = await import("node:fs/promises");
+    await writeFile(
+      pkgJsonPath,
+      JSON.stringify({ name: "vellum-pkg-cache", private: true }),
+    );
+  }
+
+  log.info({ pkg }, "Installing package into shared cache");
+
+  try {
+    const proc = Bun.spawn(["bun", "install", "--no-save", pkg], {
+      cwd: cacheDir,
+      stdout: "pipe",
+      stderr: "pipe",
+      env: {
+        ...process.env,
+        PATH: `${homedir()}/.bun/bin:${process.env.PATH}`,
+      },
+    });
+
+    // Race against timeout
+    const exited = proc.exited;
+    let timer: ReturnType<typeof setTimeout>;
+    const timeout = new Promise<"timeout">((resolve) => {
+      timer = setTimeout(() => resolve("timeout"), INSTALL_TIMEOUT_MS);
+    });
+
+    const raceResult = await Promise.race([exited, timeout]);
+    clearTimeout(timer!);
+
+    if (raceResult === "timeout") {
+      proc.kill();
+      log.warn({ pkg }, "Package install timed out");
+      return null;
+    }
+
+    if (raceResult !== 0) {
+      const stderr = await new Response(proc.stderr).text();
+      log.warn({ pkg, stderr }, "Package install failed");
+      return null;
+    }
+
+    // Enforce max size
+    if (existsSync(pkgDir)) {
+      const size = await dirSize(pkgDir);
+      if (size > MAX_PACKAGE_SIZE_BYTES) {
+        log.warn({ pkg, size }, "Package exceeds size limit, removing");
+        const { rm } = await import("node:fs/promises");
+        await rm(pkgDir, { recursive: true, force: true });
+        return null;
+      }
+    }
+
+    return existsSync(pkgDir) ? nodeModulesDir : null;
+  } catch (err) {
+    log.warn({ pkg, err }, "Package resolution failed");
+    return null;
+  }
+}
+
+/** Recursively sum file sizes under a directory. */
+async function dirSize(dir: string): Promise<number> {
+  const { readdir } = await import("node:fs/promises");
+  const entries = await readdir(dir, { withFileTypes: true });
+  let total = 0;
+  for (const entry of entries) {
+    const full = join(dir, entry.name);
+    if (entry.isDirectory()) {
+      total += await dirSize(full);
+    } else {
+      const s = await stat(full);
+      total += s.size;
+    }
+  }
+  return total;
+}