@vellumai/assistant 0.4.46 → 0.4.49

package/src/cli/commands/dev.ts

@@ -1,129 +0,0 @@
-import { spawn } from "node:child_process";
-import { join } from "node:path";
-
-import type { Command } from "commander";
-
-import { getDaemonStatus, stopDaemon } from "../../daemon/lifecycle.js";
-import { log } from "../logger.js";
-
-export function registerDevCommand(program: Command): void {
-  program
-    .command("dev")
-    .description("Run the assistant in dev mode")
-    .option(
-      "--watch",
-      "Auto-restart on source file changes (disruptive during Claude Code sessions)",
-    )
-    .addHelpText(
-      "after",
-      `
-Starts the assistant in foreground dev mode for local development. If an
-existing assistant is running, it is stopped first (waits up to 5 seconds
-for an unresponsive assistant before force-killing it).
-
-Behavioral notes:
-  - Sets VELLUM_DEBUG=1 for DEBUG-level logging
-  - Sets VELLUM_LOG_STDERR=1 so logs stream to stderr (visible in terminal)
-  - Sets BASE_DATA_DIR to the repository root
-  - The assistant runs in the foreground; press Ctrl+C to stop
-
-The --watch flag passes bun --watch to the child process, which
-auto-restarts the assistant whenever source files change. This is useful
-during development but disruptive if a Claude Code session is active,
-since the restart kills the running assistant mid-conversation.
-
-Examples:
-  $ assistant dev
-  $ assistant dev --watch`,
-    )
-    .action(async (opts: { watch?: boolean }) => {
-      let status = await getDaemonStatus();
-      if (status.running) {
-        log.info("Stopping existing assistant...");
-        const stopResult = await stopDaemon();
-        if (!stopResult.stopped && stopResult.reason === "stop_failed") {
-          log.error(
-            "Failed to stop existing assistant — process survived SIGKILL",
-          );
-          process.exit(1);
-        }
-      } else if (status.pid) {
-        // PID file references a live process but the socket is unresponsive.
-        // This can happen during the daemon startup window before the socket
-        // is bound. Wait briefly for it to come up before replacing.
-        log.info(
-          "Assistant process alive but socket unresponsive — waiting for startup...",
-        );
-        const maxWait = 5000;
-        const interval = 500;
-        let waited = 0;
-        let resolved = false;
-        while (waited < maxWait) {
-          await new Promise((r) => setTimeout(r, interval));
-          waited += interval;
-          status = await getDaemonStatus();
-          if (status.running) {
-            // Socket came up — stop the daemon normally.
-            log.info("Assistant became responsive, stopping it...");
-            const stopResult = await stopDaemon();
-            if (!stopResult.stopped && stopResult.reason === "stop_failed") {
-              log.error(
-                "Failed to stop existing assistant — process survived SIGKILL",
-              );
-              process.exit(1);
-            }
-            resolved = true;
-            break;
-          }
-          if (!status.pid) {
-            // Process exited on its own — PID file already cleaned up.
-            resolved = true;
-            break;
-          }
-        }
-        if (!resolved) {
-          // Still alive but unresponsive after waiting — stop it via stopDaemon()
-          // which handles SIGTERM → SIGKILL escalation and PID file cleanup.
-          log.info("Assistant still unresponsive after wait — stopping it...");
-          const stopResult = await stopDaemon();
-          if (!stopResult.stopped && stopResult.reason === "stop_failed") {
-            log.error(
-              "Failed to stop existing assistant — process survived SIGKILL",
-            );
-            process.exit(1);
-          }
-        }
-      }
-
-      const mainPath = `${import.meta.dirname}/../../daemon/main.ts`;
-
-      const useWatch = opts.watch === true;
-      log.info(
-        `Starting assistant in dev mode${
-          useWatch ? " with file watching" : ""
-        } (Ctrl+C to stop)`,
-      );
-
-      const repoRoot = join(import.meta.dirname, "..", "..", "..", "..");
-      const args = useWatch ? ["--watch", "run", mainPath] : ["run", mainPath];
-      const child = spawn("bun", args, {
-        stdio: "inherit",
-        env: {
-          ...process.env,
-          BASE_DATA_DIR: repoRoot,
-          VELLUM_LOG_STDERR: "1",
-          VELLUM_DEBUG: "1",
-        },
-      });
-
-      const forward = (signal: NodeJS.Signals) => {
-        child.kill(signal);
-      };
-      process.on("SIGINT", () => forward("SIGINT"));
-      process.on("SIGTERM", () => forward("SIGTERM"));
-
-      child.on("exit", (code) => {
-        process.exit(code ?? 0);
-      });
-    });
-}

package/src/cli/commands/map.ts

@@ -1,391 +0,0 @@
-/**
- * CLI command: `assistant map <domain>`
- *
- * Launches Chrome with CDP, starts a Ride Shotgun learn session to auto-navigate
- * the given domain, then analyzes captured network traffic into a deduplicated API map.
- */
-
-import { Command } from "commander";
-import { parse as parseTld } from "tldts";
-
-import {
-  analyzeApiMap,
-  printApiMapTable,
-  saveApiMap,
-} from "../../tools/browser/api-map.js";
-import { ensureChromeWithCdp } from "../../tools/browser/chrome-cdp.js";
-import { loadRecording } from "../../tools/browser/recording-store.js";
-import { httpSend } from "../http-client.js";
-import { getCliLogger } from "../logger.js";
-
-const log = getCliLogger("cli:map");
-
-/**
- * Extract the registrable base domain from a hostname.
- * e.g. "open.spotify.com" → "spotify.com", "connect.garmin.com" → "garmin.com"
- * Falls back to the input if tldts can't parse it.
- */
-function getBaseDomain(domain: string): string {
-  const result = parseTld(domain);
-  return result.domain ?? domain;
-}
-
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-
-function output(data: unknown, json: boolean): void {
-  process.stdout.write(
-    json ? JSON.stringify(data) + "\n" : JSON.stringify(data, null, 2) + "\n",
-  );
-}
-
-function outputError(message: string, code = 1): void {
-  output({ ok: false, error: message }, true);
-  process.exitCode = code;
-}
-
-function getJson(cmd: Command): boolean {
-  let c: Command | null = cmd;
-  while (c) {
-    if ((c.opts() as { json?: boolean }).json) return true;
-    c = c.parent;
-  }
-  return false;
-}
-
-/**
- * Bring the Chrome CDP tab to the foreground so the user sees the right window.
- * Optionally navigates to a URL first (used when Chrome was already running).
- */
-async function bringChromeToFront(
-  cdpBase: string,
-  navigateUrl?: string,
-): Promise<string | null> {
-  try {
-    const res = await fetch(`${cdpBase}/json/list`);
-    if (!res.ok) return null;
-    const targets = (await res.json()) as Array<{
-      type: string;
-      url: string;
-      webSocketDebuggerUrl: string;
-    }>;
-    const pageTarget = targets.find((t) => t.type === "page");
-    if (!pageTarget?.webSocketDebuggerUrl) return null;
-
-    const ws = new WebSocket(pageTarget.webSocketDebuggerUrl);
-    await new Promise<void>((resolve, reject) => {
-      ws.onopen = () => resolve();
-      ws.onerror = (e) => reject(new Error(`CDP WebSocket error: ${e}`));
-    });
-
-    let nextId = 1;
-    const cdpSend = (
-      method: string,
-      params?: Record<string, unknown>,
-    ): Promise<unknown> =>
-      new Promise((resolve, reject) => {
-        const id = nextId++;
-        const cleanup = () => {
-          clearTimeout(timeout);
-          ws.removeEventListener("message", handler);
-          ws.removeEventListener("close", onClose);
-          ws.removeEventListener("error", onError);
-        };
-        const timeout = setTimeout(() => {
-          cleanup();
-          reject(new Error(`CDP command ${method} timed out`));
-        }, 5000);
-        const onClose = () => {
-          cleanup();
-          reject(new Error("WebSocket closed before CDP response"));
-        };
-        const onError = (e: Event) => {
-          cleanup();
-          reject(new Error(`WebSocket error: ${e}`));
-        };
-        const handler = (event: MessageEvent) => {
-          const msg = JSON.parse(String(event.data));
-          if (msg.id === id) {
-            cleanup();
-            if (msg.error) reject(new Error(msg.error.message));
-            else resolve(msg.result);
-          }
-        };
-        ws.addEventListener("message", handler);
-        ws.addEventListener("close", onClose);
-        ws.addEventListener("error", onError);
-        ws.send(JSON.stringify({ id, method, params }));
-      });
-
-    if (navigateUrl) {
-      await cdpSend("Page.navigate", { url: navigateUrl });
-      // Brief wait for navigation to start
-      await new Promise((r) => setTimeout(r, 500));
-    }
-
-    await cdpSend("Page.bringToFront");
-    const tabUrl = navigateUrl ?? pageTarget.url;
-    ws.close();
-    return tabUrl;
-  } catch {
-    return null;
-  }
-}
-
-// ---------------------------------------------------------------------------
-// Ride Shotgun learn session helper
-// ---------------------------------------------------------------------------
-
-interface LearnResult {
-  recordingId?: string;
-  recordingPath?: string;
-}
-
-async function startLearnSession(
-  navigateDomain: string,
-  recordDomain: string,
-  durationSeconds: number,
-  autoNavigate: boolean = true,
-): Promise<LearnResult> {
-  const cdpSession = await ensureChromeWithCdp({
-    startUrl: `https://${navigateDomain}/`,
-  });
-
-  // Activate the Chrome window so the user knows which tab to watch
-  const tabUrl = await bringChromeToFront(
-    cdpSession.baseUrl,
-    `https://${navigateDomain}/`,
-  );
-  if (tabUrl) {
-    process.stderr.write(`Chrome is ready — using tab at ${tabUrl}\n`);
-  }
-
-  // Start ride shotgun via HTTP
-  const response = await httpSend("/v1/computer-use/ride-shotgun/start", {
-    method: "POST",
-    body: JSON.stringify({
-      durationSeconds,
-      intervalSeconds: 5,
-      mode: "learn",
-      targetDomain: recordDomain,
-      navigateDomain,
-      autoNavigate,
-    }),
-  });
-
-  if (!response.ok) {
-    const body = await response.text();
-    throw new Error(
-      `Failed to start learn session: ${response.status} ${body}`,
-    );
-  }
-
-  const startResult = (await response.json()) as {
-    watchId?: string;
-    sessionId?: string;
-  };
-
-  if (!startResult.watchId) {
-    throw new Error("Ride-shotgun start response missing watchId");
-  }
-
-  // Poll the status endpoint using watchId to correlate completion
-  const { watchId } = startResult;
-  const timeoutMs = (durationSeconds + 30) * 1000;
-  const pollIntervalMs = 2000;
-  const startTime = Date.now();
-
-  return new Promise<LearnResult>((resolve, reject) => {
-    const tick = async () => {
-      if (Date.now() - startTime > timeoutMs) {
-        reject(
-          new Error(`Learn session timed out after ${durationSeconds + 30}s`),
-        );
-        return;
-      }
-
-      try {
-        const statusRes = await httpSend(
-          `/v1/computer-use/ride-shotgun/status/${watchId}`,
-          { method: "GET" },
-        );
-        if (!statusRes.ok) {
-          setTimeout(tick, pollIntervalMs);
-          return;
-        }
-
-        const status = (await statusRes.json()) as {
-          status: string;
-          recordingId?: string;
-          savedRecordingPath?: string;
-          bootstrapFailureReason?: string;
-        };
-
-        if (status.bootstrapFailureReason) {
-          reject(
-            new Error(`Learn session failed: ${status.bootstrapFailureReason}`),
-          );
-          return;
-        }
-
-        if (status.status === "completed") {
-          if (status.recordingId) {
-            resolve({
-              recordingId: status.recordingId,
-              recordingPath: status.savedRecordingPath,
-            });
-          } else {
-            reject(
-              new Error("Learn session completed but no recording was saved."),
-            );
-          }
-          return;
-        }
-      } catch {
-        // Status endpoint not reachable — continue polling
-      }
-
-      setTimeout(tick, pollIntervalMs);
-    };
-
-    setTimeout(tick, pollIntervalMs);
-  });
-}
-
-// ---------------------------------------------------------------------------
-// Command registration
-// ---------------------------------------------------------------------------
-
-export function registerMapCommand(program: Command): void {
-  program
-    .command("map")
-    .description(
-      "Auto-navigate a domain and produce a deduplicated API map. " +
-        "Launches Chrome with CDP, starts a Ride Shotgun learn session, " +
-        "then analyzes captured network traffic.",
-    )
-    .argument("<domain>", "Domain to map (e.g., example.com)")
-    .option("--duration <seconds>", "Recording duration in seconds")
-    .option(
-      "--manual",
-      "Manual mode: browse the site yourself while network traffic is recorded",
-    )
-    .option("--json", "Machine-readable JSON output")
-    .addHelpText(
-      "after",
-      `
-Arguments:
-  domain   The domain to map (e.g. example.com, open.spotify.com). Subdomains
-           are navigated directly but network traffic is recorded for the
-           entire base domain (e.g. open.spotify.com navigates that subdomain
-           but records all *.spotify.com traffic).
-
-Two modes of operation:
-  auto (default)   The assistant auto-navigates the site using Ride Shotgun,
-                   clicking links and exploring pages autonomously. Default
-                   duration: 120 seconds.
-  --manual         You browse the site yourself while network traffic is
-                   recorded in the background. Default duration: 60 seconds.
-
-How it works:
-  1. Launches Chrome with Chrome DevTools Protocol (CDP) enabled
-  2. Starts a Ride Shotgun learn session to capture network traffic
-  3. Deduplicates captured requests into unique API endpoints
-  4. Saves the API map to disk and prints a summary table
-
-The assistant must be running (the learn session is coordinated through it).
-
-Examples:
-  $ assistant map example.com
-  $ assistant map open.spotify.com --duration 180
-  $ assistant map garmin.com --manual`,
-    )
-    .action(
-      async (
-        domain: string,
-        opts: { duration?: string; manual?: boolean; json?: boolean },
-        cmd: Command,
-      ) => {
-        const json = getJson(cmd);
-        const manual = opts.manual ?? false;
-        const duration = opts.duration
-          ? parseInt(opts.duration, 10)
-          : manual
-            ? 60
-            : 120;
-
-        try {
-          // Split into navigation domain (what Chrome browses) and recording domain (network filter).
-          // e.g. "open.spotify.com" → navigate open.spotify.com, record *.spotify.com
-          const navigateDomain = domain;
-          const recordDomain = getBaseDomain(domain);
-
-          if (!json) {
-            if (manual) {
-              log.info(
-                `Starting manual API map session for ${domain} (${duration}s)...`,
-              );
-              log.info(
-                "Browse the site manually. Press Ctrl+C or wait for idle detection to stop recording.",
-              );
-            } else if (navigateDomain !== recordDomain) {
-              log.info(
-                `Starting API map session: navigating ${navigateDomain}, recording *.${recordDomain} (${duration}s)...`,
-              );
-            } else {
-              log.info(
-                `Starting API map session for ${domain} (${duration}s)...`,
-              );
-            }
-          }
-          const result = await startLearnSession(
-            navigateDomain,
-            recordDomain,
-            duration,
-            !manual,
-          );
-
-          if (!result.recordingId) {
-            outputError("Recording completed but no recording ID returned");
-            return;
-          }
-
-          // 2. Load the recording
-          const recording = loadRecording(result.recordingId);
-          if (!recording) {
-            outputError(`Failed to load recording ${result.recordingId}`);
-            return;
-          }
-
-          // 3. Analyze the API map
-          const apiMap = analyzeApiMap(recording.networkEntries, domain);
-
-          // 4. Save the API map
-          const savedPath = saveApiMap(domain, apiMap);
-
-          // 5. Display results
-          if (!json) {
-            printApiMapTable(apiMap);
-            log.info(`API map saved to: ${savedPath}`);
-          }
-
-          // 6. Output JSON result
-          output(
-            {
-              ok: true,
-              domain,
-              recordingId: result.recordingId,
-              savedPath,
-              totalRequests: apiMap.totalRequests,
-              endpointCount: apiMap.endpoints.length,
-              apiMap,
-            },
-            json,
-          );
-        } catch (err) {
-          outputError(err instanceof Error ? err.message : String(err));
-        }
-      },
-    );
-}

package/src/cli/commands/oauth.ts

@@ -1,77 +0,0 @@
-import type { Command } from "commander";
-
-import { withValidToken } from "../../security/token-manager.js";
-import { shouldOutputJson, writeOutput } from "../output.js";
-
-export function registerOAuthCommand(program: Command): void {
-  const oauth = program
-    .command("oauth")
-    .description("Manage OAuth tokens for connected integrations")
-    .option("--json", "Machine-readable compact JSON output");
-
-  oauth.addHelpText(
-    "after",
-    `
-OAuth tokens are managed automatically — the "token" command returns a
-guaranteed-valid access token, refreshing transparently if the stored token
-is expired or near-expiry. Callers never need to handle refresh themselves.
-
-The <service> argument is the short integration name (e.g. "twitter", "gmail",
-"slack"). Internally this maps to credential:integration:<service>:access_token.
-
-Examples:
-  $ assistant oauth token twitter
-  $ assistant oauth token twitter --json
-  $ TOKEN=$(assistant oauth token gmail)
-  $ curl -H "Authorization: Bearer $(assistant oauth token twitter)" https://api.x.com/2/tweets`,
-  );
-
-  // ---------------------------------------------------------------------------
-  // token — return a guaranteed-valid access token
-  // ---------------------------------------------------------------------------
-
-  oauth
-    .command("token <service>")
-    .description(
-      "Print a valid OAuth access token for a service, refreshing if expired",
-    )
-    .addHelpText(
-      "after",
-      `
-Arguments:
-  service   Integration name without the "integration:" prefix
-            (e.g. "twitter", "gmail", "slack")
-
-Returns a valid OAuth access token for the given service. If the stored token
-is expired or near-expiry, it is refreshed automatically before being returned.
-The refresh uses the stored refresh token and OAuth2 configuration from
-credential metadata — no additional input is required.
-
-In human mode, prints the bare token to stdout (suitable for shell substitution).
-In JSON mode (--json), prints {"ok": true, "token": "..."}.
-
-Exits with code 1 if no access token exists for the service, no refresh token
-is available, or the token refresh fails (e.g. revoked credentials).
-
-Examples:
-  $ assistant oauth token twitter
-  $ assistant oauth token gmail --json
-  $ export TOKEN=$(assistant oauth token twitter)`,
-    )
-    .action(async (service: string, _opts: unknown, cmd: Command) => {
-      try {
-        const qualifiedService = `integration:${service}`;
-        const token = await withValidToken(qualifiedService, async (t) => t);
-
-        if (shouldOutputJson(cmd)) {
-          writeOutput(cmd, { ok: true, token });
-        } else {
-          process.stdout.write(token + "\n");
-        }
-      } catch (err) {
-        const message = err instanceof Error ? err.message : String(err);
-        writeOutput(cmd, { ok: false, error: message });
-        process.exitCode = 1;
-      }
-    });
-}

package/src/config/bundled-skills/computer-use/tools/computer-use-request-control.ts

@@ -1,16 +0,0 @@
-import { forwardComputerUseProxyTool } from "../../../../tools/computer-use/skill-proxy-bridge.js";
-import type {
-  ToolContext,
-  ToolExecutionResult,
-} from "../../../../tools/types.js";
-
-export async function run(
-  input: Record<string, unknown>,
-  context: ToolContext,
-): Promise<ToolExecutionResult> {
-  return forwardComputerUseProxyTool(
-    "computer_use_request_control",
-    input,
-    context,
-  );
-}