@vellumai/assistant 0.4.46 → 0.4.49

package/src/config/env-registry.ts

@@ -24,13 +24,6 @@ function flag(name: string): boolean {
   return raw === "true" || raw === "1";
 }
 
-function flagTriState(name: string): boolean | undefined {
-  const raw = str(name);
-  if (raw === "true" || raw === "1") return true;
-  if (raw === "false" || raw === "0") return false;
-  return undefined;
-}
-
 // ── Registry ─────────────────────────────────────────────────────────────────
 // Each entry documents the env var name, type, default, and purpose.
 
@@ -43,62 +36,6 @@ export function getBaseDataDir(): string | undefined {
   return str("BASE_DATA_DIR");
 }
 
-/**
- * VELLUM_DAEMON_TCP_PORT — number, default: 8765
- * TCP port for the daemon's TCP listener (used by iOS clients).
- */
-export function getDaemonTcpPort(): number {
-  const raw = str("VELLUM_DAEMON_TCP_PORT");
-  if (raw) {
-    const port = parseInt(raw, 10);
-    if (!isNaN(port) && port > 0 && port <= 65535) return port;
-  }
-  return 8765;
-}
-
-/**
- * VELLUM_DAEMON_TCP_ENABLED — boolean tri-state, default: undefined (falls back to flag file)
- * Whether the daemon TCP listener should be active.
- * 'true'/'1' → on, 'false'/'0' → off, unset → check flag file.
- */
-export function getDaemonTcpEnabled(): boolean | undefined {
-  return flagTriState("VELLUM_DAEMON_TCP_ENABLED");
-}
-
-/**
- * VELLUM_DAEMON_TCP_HOST — string, default: context-dependent (127.0.0.1 or 0.0.0.0)
- * Hostname/address for the TCP listener. When unset, platform.ts resolves
- * based on whether iOS pairing is enabled.
- */
-export function getDaemonTcpHost(): string | undefined {
-  return str("VELLUM_DAEMON_TCP_HOST");
-}
-
-/**
- * VELLUM_DAEMON_IOS_PAIRING — boolean tri-state, default: undefined (falls back to flag file)
- * Whether iOS pairing mode is enabled. When on, TCP binds to 0.0.0.0.
- * 'true'/'1' → on, 'false'/'0' → off, unset → check flag file.
- */
-export function getDaemonIosPairing(): boolean | undefined {
-  return flagTriState("VELLUM_DAEMON_IOS_PAIRING");
-}
-
-/**
- * VELLUM_DEBUG — boolean, default: false
- * Enables debug-level logging and verbose output.
- */
-export function getDebugMode(): boolean {
-  return flag("VELLUM_DEBUG");
-}
-
-/**
- * VELLUM_LOG_STDERR — boolean, default: false
- * Forces logger output to stderr instead of log files.
- */
-export function getLogStderr(): boolean {
-  return flag("VELLUM_LOG_STDERR");
-}
-
 /**
  * DEBUG_STDOUT_LOGS — boolean, default: false
  * Enables additional log output to stdout (alongside file logging).
@@ -107,14 +44,6 @@ export function getDebugStdoutLogs(): boolean {
   return flag("DEBUG_STDOUT_LOGS");
 }
 
-/**
- * VELLUM_ENABLE_MONITORING — boolean, default: false
- * Enables monitoring/telemetry (Logfire, etc.).
- */
-export function getEnableMonitoring(): boolean {
-  return flag("VELLUM_ENABLE_MONITORING");
-}
-
 /**
  * IS_CONTAINERIZED — boolean, default: false
  * When true, indicates the assistant is running inside a container (e.g. Docker).
@@ -132,24 +61,26 @@ export function getIsContainerized(): boolean {
  * to warn about typos or unrecognized variables.
  */
 const KNOWN_VELLUM_VARS = new Set([
-  "VELLUM_DAEMON_TCP_PORT",
-  "VELLUM_DAEMON_TCP_ENABLED",
-  "VELLUM_DAEMON_TCP_HOST",
-  "VELLUM_DAEMON_IOS_PAIRING",
-  "VELLUM_DAEMON_NOAUTH",
+  "VELLUM_ASSISTANT_NAME",
+  "VELLUM_AWS_ROLE_ARN",
+  "VELLUM_CLAUDE_CODE_DEPTH",
+  "VELLUM_CUSTOM_QR_CODE_PATH",
   "VELLUM_DAEMON_AUTOSTART",
-  "VELLUM_DEBUG",
-  "VELLUM_LOG_STDERR",
-  "VELLUM_ENABLE_MONITORING",
+  "VELLUM_DAEMON_NOAUTH",
+  "VELLUM_DATA_DIR",
+  "VELLUM_DESKTOP_APP",
+  "VELLUM_DEV",
+  "VELLUM_ENABLE_INSECURE_LAN_PAIRING",
+  "VELLUM_HATCHED_BY",
   "VELLUM_HOOK_EVENT",
   "VELLUM_HOOK_NAME",
   "VELLUM_HOOK_SETTINGS",
+  "VELLUM_LOCKFILE_DIR",
+  "VELLUM_PLATFORM_URL",
   "VELLUM_ROOT_DIR",
-  "VELLUM_WORKSPACE_DIR",
-  "VELLUM_CLAUDE_CODE_DEPTH",
-  "VELLUM_ASSISTANT_PLATFORM_URL",
+  "VELLUM_SSH_USER",
   "VELLUM_UNSAFE_AUTH_BYPASS",
-  "VELLUM_DATA_DIR",
+  "VELLUM_WORKSPACE_DIR",
 ]);
 
 /**

package/src/config/env.ts

@@ -8,17 +8,13 @@
  * - Fail-fast validation via validateEnv() at startup
  * - Shared derived values (e.g. gateway base URL) instead of duplicated logic
  *
- * Bootstrap-level env vars (BASE_DATA_DIR, VELLUM_DAEMON_*, VELLUM_DEBUG,
- * VELLUM_LOG_STDERR, DEBUG_STDOUT_LOGS) are defined in config/env-registry.ts
- * which has no internal dependencies and can be imported from platform/logger
- * without circular imports.
+ * Bootstrap-level env vars (BASE_DATA_DIR, DEBUG_STDOUT_LOGS) are defined
+ * in config/env-registry.ts which has no internal dependencies and can be
+ * imported from platform/logger without circular imports.
  */
 
 import { getLogger } from "../util/logger.js";
-import {
-  checkUnrecognizedEnvVars,
-  getEnableMonitoring,
-} from "./env-registry.js";
+import { checkUnrecognizedEnvVars } from "./env-registry.js";
 
 const log = getLogger("env");
 
@@ -55,33 +51,23 @@ export function getGatewayPort(): number {
   return int("GATEWAY_PORT", DEFAULT_GATEWAY_PORT);
 }
 
-/**
- * Resolve the gateway base URL for internal service-to-service calls.
- * Prefers GATEWAY_INTERNAL_BASE_URL if set, then INTERNAL_GATEWAY_BASE_URL
- * (used by skill subprocesses), otherwise derives from port.
- */
+/** Resolve the gateway base URL for internal service-to-service calls. */
 export function getGatewayInternalBaseUrl(): string {
-  const explicit = str("GATEWAY_INTERNAL_BASE_URL");
-  if (explicit) return explicit.replace(/\/+$/, "");
-  const skillInjected = str("INTERNAL_GATEWAY_BASE_URL");
-  if (skillInjected) return skillInjected.replace(/\/+$/, "");
   return `http://127.0.0.1:${getGatewayPort()}`;
 }
 
 // ── Ingress ──────────────────────────────────────────────────────────────────
 
-/** Read the INGRESS_PUBLIC_BASE_URL env var (may be mutated at runtime by config handlers). */
+let _ingressPublicBaseUrl: string | undefined;
+
+/** Read the ingress public base URL (module-level state, mutated at runtime by config handlers). */
 export function getIngressPublicBaseUrl(): string | undefined {
-  return str("INGRESS_PUBLIC_BASE_URL");
+  return _ingressPublicBaseUrl;
 }
 
-/** Set or clear the INGRESS_PUBLIC_BASE_URL env var (used by config handlers). */
+/** Set or clear the ingress public base URL (used by config handlers). */
 export function setIngressPublicBaseUrl(value: string | undefined): void {
-  if (value) {
-    process.env.INGRESS_PUBLIC_BASE_URL = value;
-  } else {
-    delete process.env.INGRESS_PUBLIC_BASE_URL;
-  }
+  _ingressPublicBaseUrl = value;
 }
 
 // ── Runtime HTTP ─────────────────────────────────────────────────────────────
@@ -117,37 +103,12 @@ export function hasUngatedHttpAuthDisabled(): boolean {
   return str("VELLUM_UNSAFE_AUTH_BYPASS")?.trim() !== "1";
 }
 
-// ── Twilio ───────────────────────────────────────────────────────────────────
-
-export function getTwilioPhoneNumberEnv(): string | undefined {
-  return str("TWILIO_PHONE_NUMBER");
-}
-
-export function getTwilioUserPhoneNumber(): string | undefined {
-  return str("TWILIO_USER_PHONE_NUMBER");
-}
-
-export function isTwilioWebhookValidationDisabled(): boolean {
-  // Intentionally strict: only exact "true" disables validation (not "1").
-  // This is a security-sensitive bypass — we don't want environments that
-  // template booleans as "1" to silently skip webhook signature checks.
-  return process.env.TWILIO_WEBHOOK_VALIDATION_DISABLED === "true";
-}
-
-export function getCallWelcomeGreeting(): string | undefined {
-  return str("CALL_WELCOME_GREETING");
-}
-
 // ── Monitoring ───────────────────────────────────────────────────────────────
 
 export function getLogfireToken(): string | undefined {
   return str("LOGFIRE_TOKEN");
 }
 
-export function isMonitoringEnabled(): boolean {
-  return getEnableMonitoring();
-}
-
 const DEFAULT_SENTRY_DSN =
   "https://db2d38a082e4ee35eeaea08c44b376ec@o4504590528675840.ingest.us.sentry.io/4510874712276992";
 

package/src/config/feature-flag-registry.json

@@ -33,22 +33,6 @@
       "description": "Enable messaging skill section in the system prompt",
       "defaultEnabled": true
     },
-    {
-      "id": "messaging-gmail",
-      "scope": "assistant",
-      "key": "feature_flags.messaging.gmail.enabled",
-      "label": "Messaging: Gmail",
-      "description": "Allow messaging tools to operate on the Gmail platform",
-      "defaultEnabled": true
-    },
-    {
-      "id": "messaging-telegram",
-      "scope": "assistant",
-      "key": "feature_flags.messaging.telegram.enabled",
-      "label": "Messaging: Telegram",
-      "description": "Allow messaging tools to operate on the Telegram platform",
-      "defaultEnabled": false
-    },
     {
       "id": "collect-usage-data",
       "scope": "assistant",
@@ -81,6 +65,14 @@
       "description": "Show the Contacts tab in Settings for viewing and managing contacts",
       "defaultEnabled": false
     },
+    {
+      "id": "email-channel",
+      "scope": "assistant",
+      "key": "feature_flags.email-channel.enabled",
+      "label": "Email Channel",
+      "description": "Show the Email channel card on the Contacts page and enable the email-setup skill",
+      "defaultEnabled": false
+    },
     {
       "id": "outbound-proxy-sidecar",
       "scope": "assistant",
@@ -128,6 +120,14 @@
       "label": "Settings Developer Nav",
       "description": "Control Developer nav visibility in macOS settings",
       "defaultEnabled": true
+    },
+    {
+      "id": "logfire",
+      "scope": "assistant",
+      "key": "feature_flags.logfire.enabled",
+      "label": "Logfire LLM Observability",
+      "description": "Enable Logfire tracing for LLM request/response telemetry when LOGFIRE_TOKEN is set",
+      "defaultEnabled": false
     }
   ]
 }

package/src/config/schema.ts

@@ -289,7 +289,9 @@ export const AssistantConfigSchema = z
       PermissionsConfigSchema.parse({}),
     ),
     auditLog: AuditLogConfigSchema.default(AuditLogConfigSchema.parse({})),
-    logFile: LogFileConfigSchema.default(LogFileConfigSchema.parse({})),
+    logFile: LogFileConfigSchema.default(
+      LogFileConfigSchema.parse({ dir: getDataDir() + "/logs" }),
+    ),
     pricingOverrides: z.array(ModelPricingOverrideSchema).default([]),
     heartbeat: HeartbeatConfigSchema.default(HeartbeatConfigSchema.parse({})),
     swarm: SwarmConfigSchema.default(SwarmConfigSchema.parse({})),

package/src/config/skills.ts

@@ -146,14 +146,23 @@ export interface SkillDefinition extends SkillSummary {
   body: string;
 }
 
+export type SkillLookupErrorCode =
+  | "not_found"
+  | "ambiguous"
+  | "empty_catalog"
+  | "invalid_selector"
+  | "load_failed";
+
 export interface SkillLookupResult {
   skill?: SkillDefinition;
   error?: string;
+  errorCode?: SkillLookupErrorCode;
 }
 
 export interface SkillSelectorResult {
   skill?: SkillSummary;
   error?: string;
+  errorCode?: SkillLookupErrorCode;
 }
 
 // ─── Skill Tool Manifest Types ────────────────────────────────────────────────
@@ -1210,6 +1219,7 @@ export function resolveSkillSelector(
   if (!needle) {
     return {
       error: "Skill selector is required and must be a non-empty string.",
+      errorCode: "invalid_selector",
     };
   }
 
@@ -1218,6 +1228,7 @@ export function resolveSkillSelector(
     return {
       error:
         "No skills are available. Configure ~/.vellum/workspace/skills/SKILLS.md or add skill directories.",
+      errorCode: "empty_catalog",
     };
   }
 
@@ -1236,7 +1247,10 @@ export function resolveSkillSelector(
   }
   if (exactNameMatches.length > 1) {
     const ids = exactNameMatches.map((skill) => skill.id).join(", ");
-    return { error: `Ambiguous skill name "${needle}". Matching IDs: ${ids}` };
+    return {
+      error: `Ambiguous skill name "${needle}". Matching IDs: ${ids}`,
+      errorCode: "ambiguous",
+    };
   }
 
   const idPrefixMatches = catalog.filter((skill) =>
@@ -1249,12 +1263,14 @@ export function resolveSkillSelector(
     const ids = idPrefixMatches.map((skill) => skill.id).join(", ");
     return {
       error: `Ambiguous skill id prefix "${needle}". Matching IDs: ${ids}`,
+      errorCode: "ambiguous",
     };
   }
 
   const knownSkills = catalog.map((skill) => skill.id).join(", ");
   return {
     error: `No skill matched "${needle}". Available skills: ${knownSkills}`,
+    errorCode: "not_found",
   };
 }
 
@@ -1264,7 +1280,10 @@ export function loadSkillBySelector(
 ): SkillLookupResult {
   const resolved = resolveSkillSelector(selector, workspaceSkillsDir);
   if (!resolved.skill) {
-    return { error: resolved.error ?? "Failed to resolve skill selector." };
+    return {
+      error: resolved.error ?? "Failed to resolve skill selector.",
+      errorCode: resolved.errorCode ?? "load_failed",
+    };
   }
   return loadSkillDefinition(resolved.skill);
 }

package/src/context/image-dimensions.ts

@@ -0,0 +1,229 @@
+/**
+ * Parses image dimensions from base64-encoded image data by reading binary headers.
+ * Supports PNG, JPEG, GIF, and WebP formats.
+ * Returns null if parsing fails for any reason (corrupt, truncated, unrecognized).
+ */
+export function parseImageDimensions(
+  base64Data: string,
+  mediaType: string,
+): { width: number; height: number } | null {
+  try {
+    switch (mediaType) {
+      case "image/png":
+        return parsePng(base64Data);
+      case "image/jpeg":
+        return parseJpeg(base64Data);
+      case "image/gif":
+        return parseGif(base64Data);
+      case "image/webp":
+        return parseWebp(base64Data);
+      default:
+        return null;
+    }
+  } catch {
+    return null;
+  }
+}
+
+function decodeBase64Bytes(
+  base64Data: string,
+  maxBytes: number,
+): Buffer | null {
+  // Estimate how much base64 we need: every 4 base64 chars = 3 bytes
+  const charsNeeded = Math.ceil((maxBytes * 4) / 3);
+  const slice = base64Data.slice(0, charsNeeded + 4); // a little extra for padding
+  try {
+    const buf = Buffer.from(slice, "base64");
+    return buf.length > 0 ? buf : null;
+  } catch {
+    return null;
+  }
+}
+
+function readUint32BE(buf: Buffer, offset: number): number {
+  if (offset + 4 > buf.length) return -1;
+  return buf.readUInt32BE(offset);
+}
+
+function readUint16BE(buf: Buffer, offset: number): number {
+  if (offset + 2 > buf.length) return -1;
+  return buf.readUInt16BE(offset);
+}
+
+function readUint16LE(buf: Buffer, offset: number): number {
+  if (offset + 2 > buf.length) return -1;
+  return buf.readUInt16LE(offset);
+}
+
+function readUint32LE(buf: Buffer, offset: number): number {
+  if (offset + 4 > buf.length) return -1;
+  return buf.readUInt32LE(offset);
+}
+
+function readUint24LE(buf: Buffer, offset: number): number {
+  if (offset + 3 > buf.length) return -1;
+  return buf[offset]! | (buf[offset + 1]! << 8) | (buf[offset + 2]! << 16);
+}
+
+function parsePng(
+  base64Data: string,
+): { width: number; height: number } | null {
+  const buf = decodeBase64Bytes(base64Data, 32);
+  if (!buf || buf.length < 24) return null;
+
+  // Validate PNG signature: 89 50 4E 47
+  if (
+    buf[0] !== 0x89 ||
+    buf[1] !== 0x50 ||
+    buf[2] !== 0x4e ||
+    buf[3] !== 0x47
+  ) {
+    return null;
+  }
+
+  const width = readUint32BE(buf, 16);
+  const height = readUint32BE(buf, 20);
+  if (width <= 0 || height <= 0) return null;
+
+  return { width, height };
+}
+
+function parseJpeg(
+  base64Data: string,
+): { width: number; height: number } | null {
+  // Scan up to 1 MiB to handle JPEGs with large EXIF/ICC metadata before the SOF marker
+  const buf = decodeBase64Bytes(base64Data, 1_048_576);
+  if (!buf || buf.length < 2) return null;
+
+  // Validate JPEG SOI marker
+  if (buf[0] !== 0xff || buf[1] !== 0xd8) return null;
+
+  let offset = 2;
+  while (offset < buf.length - 1) {
+    // Find next marker
+    if (buf[offset] !== 0xff) {
+      offset++;
+      continue;
+    }
+
+    // Skip padding 0xFF bytes
+    while (offset < buf.length && buf[offset] === 0xff) {
+      offset++;
+    }
+    if (offset >= buf.length) return null;
+
+    const marker = buf[offset]!;
+    offset++;
+
+    // Check for SOF markers: C0-CF excluding C4 (DHT) and CC (DAC)
+    if (
+      marker >= 0xc0 &&
+      marker <= 0xcf &&
+      marker !== 0xc4 &&
+      marker !== 0xcc
+    ) {
+      // SOF marker found: skip 2-byte length + 1-byte precision
+      if (offset + 7 > buf.length) return null;
+      const height = readUint16BE(buf, offset + 3);
+      const width = readUint16BE(buf, offset + 5);
+      if (width <= 0 || height <= 0) return null;
+      return { width, height };
+    }
+
+    // Skip this marker's payload
+    if (offset + 1 >= buf.length) return null;
+    const segmentLength = readUint16BE(buf, offset);
+    if (segmentLength < 2) return null;
+    offset += segmentLength;
+  }
+
+  return null;
+}
+
+function parseGif(
+  base64Data: string,
+): { width: number; height: number } | null {
+  const buf = decodeBase64Bytes(base64Data, 12);
+  if (!buf || buf.length < 10) return null;
+
+  // Validate GIF signature: 47 49 46 38 (GIF8)
+  if (
+    buf[0] !== 0x47 ||
+    buf[1] !== 0x49 ||
+    buf[2] !== 0x46 ||
+    buf[3] !== 0x38
+  ) {
+    return null;
+  }
+
+  const width = readUint16LE(buf, 6);
+  const height = readUint16LE(buf, 8);
+  if (width <= 0 || height <= 0) return null;
+
+  return { width, height };
+}
+
+function parseWebp(
+  base64Data: string,
+): { width: number; height: number } | null {
+  const buf = decodeBase64Bytes(base64Data, 32);
+  if (!buf || buf.length < 16) return null;
+
+  // Validate RIFF signature
+  if (
+    buf[0] !== 0x52 ||
+    buf[1] !== 0x49 ||
+    buf[2] !== 0x46 ||
+    buf[3] !== 0x46
+  ) {
+    return null;
+  }
+  // Validate WEBP signature at offset 8
+  if (
+    buf[8] !== 0x57 ||
+    buf[9] !== 0x45 ||
+    buf[10] !== 0x42 ||
+    buf[11] !== 0x50
+  ) {
+    return null;
+  }
+
+  // Identify sub-format at offset 12
+  const subFormat =
+    String.fromCharCode(buf[12]!) +
+    String.fromCharCode(buf[13]!) +
+    String.fromCharCode(buf[14]!) +
+    String.fromCharCode(buf[15]!);
+
+  if (subFormat === "VP8 ") {
+    // VP8 lossy
+    if (buf.length < 30) return null;
+    const width = readUint16LE(buf, 26) & 0x3fff;
+    const height = readUint16LE(buf, 28) & 0x3fff;
+    if (width <= 0 || height <= 0) return null;
+    return { width, height };
+  }
+
+  if (subFormat === "VP8L") {
+    // VP8L lossless — validate signature byte 0x2f at offset 20
+    if (buf.length < 25) return null;
+    if (buf[20] !== 0x2f) return null;
+    const bits = readUint32LE(buf, 21);
+    if (bits < 0) return null;
+    const width = (bits & 0x3fff) + 1;
+    const height = ((bits >> 14) & 0x3fff) + 1;
+    if (width <= 0 || height <= 0) return null;
+    return { width, height };
+  }
+
+  if (subFormat === "VP8X") {
+    // VP8X extended
+    if (buf.length < 30) return null;
+    const width = readUint24LE(buf, 24) + 1;
+    const height = readUint24LE(buf, 27) + 1;
+    if (width <= 0 || height <= 0) return null;
+    return { width, height };
+  }
+
+  return null;
+}