@vellumai/assistant 0.4.49 → 0.4.51

package/src/cli/commands/oauth/index.ts

@@ -17,7 +17,7 @@ The oauth command group manages the full OAuth lifecycle:
 
   providers   Protocol-level configurations (auth URLs, scopes, endpoints)
   apps        Client credentials (client ID / secret pairs)
-  connections Active token grants per provider (list, get, token)
+  connections Active token grants per provider (list, get, token, disconnect)
 
 Providers are seeded on startup for built-in integrations. Apps and connections
 are created during the OAuth authorization flow or can be managed manually via
@@ -26,9 +26,9 @@ their respective subcommands.
 Examples:
   $ assistant oauth connections token integration:twitter
   $ assistant oauth connections list
-  $ assistant oauth connections get --provider integration:gmail
+  $ assistant oauth connections get --provider integration:google
   $ assistant oauth providers list
-  $ assistant oauth providers get integration:gmail
+  $ assistant oauth providers get integration:google
   $ assistant oauth providers register --provider-key custom:myapi --auth-url https://example.com/auth --token-url https://example.com/token`,
   );
 

package/src/cli/commands/oauth/providers.ts

@@ -39,7 +39,7 @@ authorization URL, token URL, default scopes, and other endpoint details.
 They are seeded on startup for built-in integrations (e.g. Gmail, Twitter,
 Slack) but can also be registered dynamically via the "register" subcommand.
 
-Each provider is identified by a provider key (e.g. "integration:gmail").`,
+Each provider is identified by a provider key (e.g. "integration:google").`,
   );
 
   // ---------------------------------------------------------------------------
@@ -115,7 +115,7 @@ Examples:
       "after",
       `
 Arguments:
-  provider-key   The full provider key (e.g. "integration:gmail").
+  provider-key   The full provider key (e.g. "integration:google").
                  Must match the key used during registration or seeding.
 
 Returns the full provider configuration including auth URL, token URL,
@@ -123,7 +123,7 @@ default scopes, scope policy, and extra parameters. Exits with code 1
 if the provider key is not found.
 
 Examples:
-  $ assistant oauth providers get integration:gmail
+  $ assistant oauth providers get integration:google
   $ assistant oauth providers get integration:twitter --json`,
     )
     .action((providerKey: string, _opts: unknown, cmd: Command) => {
@@ -171,6 +171,10 @@ Examples:
       }
       return port;
     })
+    .option(
+      "--ping-url <url>",
+      "Health-check endpoint URL for token validation",
+    )
     .addHelpText(
       "after",
       `
@@ -186,6 +190,9 @@ Arguments (via options):
                         (e.g. "client_secret_post", "client_secret_basic").
   --callback-transport  Transport method for the OAuth callback.
   --loopback-port       Port number for the local loopback callback server (1-65535).
+  --ping-url            Optional URL for a lightweight health-check endpoint.
+                        Used by "connections ping" to validate that a stored token
+                        is still functional (e.g. "https://api.example.com/user").
 
 Registers a new OAuth provider configuration in the local store. This is
 used for custom integrations not covered by the built-in provider seeds.
@@ -200,7 +207,12 @@ Examples:
       --provider-key integration:my-service \\
       --auth-url https://my-service.com/auth \\
       --token-url https://my-service.com/token \\
-      --scopes read,write --json`,
+      --scopes read,write --json
+  $ assistant oauth providers register \\
+      --provider-key integration:custom-api \\
+      --auth-url https://example.com/auth \\
+      --token-url https://example.com/token \\
+      --ping-url https://example.com/user`,
     )
     .action(
       (
@@ -214,6 +226,7 @@ Examples:
           tokenAuthMethod?: string;
           callbackTransport?: string;
           loopbackPort?: number;
+          pingUrl?: string;
         },
         cmd: Command,
       ) => {
@@ -229,6 +242,7 @@ Examples:
             tokenEndpointAuthMethod: opts.tokenAuthMethod,
             callbackTransport: opts.callbackTransport,
             loopbackPort: opts.loopbackPort,
+            pingUrl: opts.pingUrl,
           });
 
           writeOutput(cmd, parseProviderRow(row));

package/src/cli/commands/sessions.ts

@@ -12,7 +12,10 @@ import {
   getMessages,
 } from "../../memory/conversation-crud.js";
 import { listConversations } from "../../memory/conversation-queries.js";
-import { selectEmbeddingBackend } from "../../memory/embedding-backend.js";
+import {
+  selectEmbeddingBackend,
+  SPARSE_EMBEDDING_VERSION,
+} from "../../memory/embedding-backend.js";
 import { initQdrantClient } from "../../memory/qdrant-client.js";
 import { timeAgo } from "../../util/time.js";
 import { initializeDb } from "../db.js";
@@ -226,7 +229,7 @@ Examples:
       const qdrantUrl = getQdrantUrlEnv() || config.memory.qdrant.url;
       const embeddingSelection = selectEmbeddingBackend(config);
       const embeddingModel = embeddingSelection.backend
-        ? `${embeddingSelection.backend.provider}:${embeddingSelection.backend.model}`
+        ? `${embeddingSelection.backend.provider}:${embeddingSelection.backend.model}:sparse-v${SPARSE_EMBEDDING_VERSION}`
         : undefined;
       const qdrant = initQdrantClient({
         url: qdrantUrl,

package/src/cli/commands/skills.ts

@@ -8,6 +8,14 @@ import {
   readLocalCatalog,
   uninstallSkillLocally,
 } from "../../skills/catalog-install.js";
+import type { AuditResponse } from "../../skills/skillssh-registry.js";
+import {
+  fetchSkillAudits,
+  formatAuditBadges,
+  installExternalSkill,
+  resolveSkillSource,
+  searchSkillsRegistry,
+} from "../../skills/skillssh-registry.js";
 import { log } from "../logger.js";
 
 // ---------------------------------------------------------------------------
@@ -28,9 +36,13 @@ capabilities with pre-built workflows and tools.
 Examples:
   $ assistant skills list
   $ assistant skills list --json
+  $ assistant skills search react
+  $ assistant skills search react --limit 5 --json
   $ assistant skills install weather
   $ assistant skills install weather --overwrite
-  $ assistant skills uninstall weather`,
+  $ assistant skills uninstall weather
+  $ assistant skills add vercel-labs/skills@find-skills
+  $ assistant skills add vercel-labs/skills/find-skills --overwrite`,
   );
 
   skills
@@ -79,6 +91,102 @@ Examples:
       }
     });
 
+  skills
+    .command("search <query>")
+    .description("Search the skills.sh community registry")
+    .option("--limit <n>", "Maximum number of results", "10")
+    .option("--json", "Machine-readable JSON output")
+    .addHelpText(
+      "after",
+      `
+Arguments:
+  query    Free-text search term matched against skill names, descriptions,
+           and tags in the skills.sh registry.
+
+Searches the skills.sh community registry and displays matching skills
+with install counts and security audit badges (ATH, Socket, Snyk).
+Audit fetch failures are non-fatal — results are still shown without
+security data.
+
+Examples:
+  $ assistant skills search react
+  $ assistant skills search "file management" --limit 3
+  $ assistant skills search deploy --json`,
+    )
+    .action(async (query: string, opts: { limit: string; json?: boolean }) => {
+      const json = opts.json ?? false;
+      const limit = parseInt(opts.limit, 10) || 10;
+
+      try {
+        const results = await searchSkillsRegistry(query, limit);
+
+        if (results.length === 0) {
+          if (json) {
+            console.log(JSON.stringify({ ok: true, results: [], audits: {} }));
+          } else {
+            log.info(`No skills found for "${query}".`);
+          }
+          return;
+        }
+
+        // Group skill slugs by source for batch audit lookups
+        const sourceToSlugs = new Map<string, string[]>();
+        for (const r of results) {
+          const slugs = sourceToSlugs.get(r.source) ?? [];
+          slugs.push(r.skillId);
+          sourceToSlugs.set(r.source, slugs);
+        }
+
+        // Fetch audits for each unique source, keyed by source/skillId
+        // to avoid collisions when different sources share the same slug.
+        const allAudits: AuditResponse = {};
+        for (const [source, slugs] of sourceToSlugs) {
+          try {
+            const audits = await fetchSkillAudits(source, slugs);
+            for (const [skillId, auditData] of Object.entries(audits)) {
+              allAudits[`${source}/${skillId}`] = auditData;
+            }
+          } catch {
+            // Audit fetch failures are non-fatal; display results without audits
+          }
+        }
+
+        if (json) {
+          console.log(
+            JSON.stringify({
+              ok: true,
+              results,
+              audits: allAudits,
+            }),
+          );
+          return;
+        }
+
+        log.info(`Search results for "${query}" (${results.length}):\n`);
+        for (const r of results) {
+          log.info(`  ${r.name}`);
+          log.info(`    ID: ${r.skillId}`);
+          log.info(`    Source: ${r.source}`);
+          log.info(`    Installs: ${r.installs}`);
+          const auditData = allAudits[`${r.source}/${r.skillId}`];
+          if (auditData) {
+            log.info(`    ${formatAuditBadges(auditData)}`);
+          } else {
+            log.info("    Security: no audit data");
+          }
+          log.info("");
+        }
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        if (json) {
+          console.log(JSON.stringify({ ok: false, error: msg }));
+        } else {
+          log.error(`Error: ${msg}`);
+        }
+        process.exitCode = 1;
+      }
+    });
+
   skills
     .command("install <skill-id>")
     .description("Install a skill from the catalog")
@@ -157,4 +265,68 @@ Examples:
         process.exitCode = 1;
       }
     });
+
+  skills
+    .command("add <source>")
+    .description(
+      "Install a community skill from the skills.sh registry (GitHub)",
+    )
+    .option("--overwrite", "Replace an already installed skill")
+    .option("--json", "Machine-readable JSON output")
+    .addHelpText(
+      "after",
+      `
+Arguments:
+  source   Skill source in one of these formats:
+             owner/repo@skill-name
+             owner/repo/skill-name
+             https://github.com/owner/repo/tree/<branch>/skills/skill-name
+
+Notes:
+  Fetches the skill's SKILL.md and supporting files from the specified GitHub
+  repository and installs them into the workspace skills directory. A
+  version.json file is written with origin metadata for provenance tracking.
+
+Examples:
+  $ assistant skills add vercel-labs/skills@find-skills
+  $ assistant skills add vercel-labs/skills/find-skills
+  $ assistant skills add vercel-labs/skills@find-skills --overwrite`,
+    )
+    .action(
+      async (source: string, opts: { overwrite?: boolean; json?: boolean }) => {
+        const json = opts.json ?? false;
+
+        try {
+          const { owner, repo, skillSlug, ref } = resolveSkillSource(source);
+
+          await installExternalSkill(
+            owner,
+            repo,
+            skillSlug,
+            opts.overwrite ?? false,
+            ref,
+          );
+
+          if (json) {
+            console.log(
+              JSON.stringify({
+                ok: true,
+                skillSlug,
+                source: `${owner}/${repo}`,
+              }),
+            );
+          } else {
+            log.info(`Installed skill "${skillSlug}" from ${owner}/${repo}.`);
+          }
+        } catch (err) {
+          const msg = err instanceof Error ? err.message : String(err);
+          if (json) {
+            console.log(JSON.stringify({ ok: false, error: msg }));
+          } else {
+            log.error(`Error: ${msg}`);
+          }
+          process.exitCode = 1;
+        }
+      },
+    );
 }

package/src/cli/http-client.ts

@@ -64,23 +64,3 @@ export async function httpSend(
   }
   return fetch(url, { ...init, headers });
 }
-
-// ---------------------------------------------------------------------------
-// Health check
-// ---------------------------------------------------------------------------
-
-/**
- * Perform an HTTP health check against the daemon's `/healthz` endpoint.
- * Returns true if the daemon responds with HTTP 200, false otherwise.
- */
-export async function httpHealthCheck(timeoutMs = 2000): Promise<boolean> {
-  try {
-    const url = `${getHttpBaseUrl()}/healthz`;
-    const response = await fetch(url, {
-      signal: AbortSignal.timeout(timeoutMs),
-    });
-    return response.ok;
-  } catch {
-    return false;
-  }
-}

package/src/cli/main-screen.tsx

@@ -1,8 +1,8 @@
 import { createRequire } from "node:module";
 import { dirname, join } from "node:path";
 
+import { getGatewayInternalBaseUrl } from "../config/env.js";
 import { getWorkspaceDir } from "../util/platform.js";
-import { getHttpBaseUrl } from "./http-client.js";
 
 const LEFT_PANEL_WIDTH = 36;
 const RIGHT_LINE_COUNT = 11;
@@ -14,7 +14,7 @@ export interface MainScreenLayout {
 }
 
 export function renderMainScreen(): MainScreenLayout {
-  const httpUrl = getHttpBaseUrl();
+  const httpUrl = getGatewayInternalBaseUrl();
   const workspace = getWorkspaceDir();
   const assistantId = workspace.split("/").pop() ?? "vellum";
 

package/src/cli/program.ts

@@ -1,8 +1,7 @@
-import { createRequire } from "node:module";
-
 import { Command } from "commander";
 
 import { registerHooksCommand } from "../hooks/cli.js";
+import { APP_VERSION } from "../version.js";
 import { registerAuditCommand } from "./commands/audit.js";
 import { registerAutonomyCommand } from "./commands/autonomy.js";
 import { registerBrowserRelayCommand } from "./commands/browser-relay.js";
@@ -25,13 +24,13 @@ import { registerSessionsCommand } from "./commands/sessions.js";
 import { registerSkillsCommand } from "./commands/skills.js";
 import { registerTrustCommand } from "./commands/trust.js";
 
-const require = createRequire(import.meta.url);
-const { version } = require("../../package.json") as { version: string };
-
 export function buildCliProgram(): Command {
   const program = new Command();
 
-  program.name("assistant").description("Local AI assistant").version(version);
+  program
+    .name("assistant")
+    .description("Local AI assistant")
+    .version(APP_VERSION);
 
   registerDefaultAction(program);
   registerSessionsCommand(program);

package/src/cli.ts

@@ -1,9 +1,14 @@
 import { randomUUID } from "node:crypto";
-import { appendFileSync, mkdirSync, readFileSync } from "node:fs";
-import { dirname } from "node:path";
+import {
+  appendFileSync,
+  mkdirSync,
+  readFileSync,
+  writeFileSync,
+} from "node:fs";
+import { dirname, join } from "node:path";
 import * as readline from "node:readline";
 
-import { httpHealthCheck, httpSend, readHttpToken } from "./cli/http-client.js";
+import { httpSend } from "./cli/http-client.js";
 import {
   type MainScreenLayout,
   renderMainScreen,
@@ -11,6 +16,7 @@ import {
   updateStatusText,
 } from "./cli/main-screen.jsx";
 import { shouldAutoStartDaemon } from "./daemon/connection-policy.js";
+import { isHttpHealthy } from "./daemon/daemon-control.js";
 import { ensureDaemonRunning } from "./daemon/lifecycle.js";
 import type {
   ConfirmationRequest,
@@ -22,7 +28,7 @@ import {
   formatSessionForExport,
 } from "./util/clipboard.js";
 import { formatDiff, formatNewFileDiff } from "./util/diff.js";
-import { getHistoryPath } from "./util/platform.js";
+import { getHistoryPath, getWorkspaceDir } from "./util/platform.js";
 import { Spinner } from "./util/spinner.js";
 import { timeAgo } from "./util/time.js";
 import { truncate } from "./util/truncate.js";
@@ -219,16 +225,15 @@ export async function startCli(): Promise<void> {
     rl.prompt();
   }
 
-  /** Send a confirmation decision via HTTP. */
-  async function sendConfirmation(
-    requestId: string,
-    decision: string,
-  ): Promise<void> {
+  /** Send a confirmation decision via signal file (read by the daemon). */
+  function sendConfirmation(requestId: string, decision: string): void {
     try {
-      await httpSend("/v1/confirm", {
-        method: "POST",
-        body: JSON.stringify({ requestId, decision }),
-      });
+      const signalsDir = join(getWorkspaceDir(), "signals");
+      mkdirSync(signalsDir, { recursive: true });
+      writeFileSync(
+        join(signalsDir, "confirm"),
+        JSON.stringify({ requestId, decision }),
+      );
     } catch {
       process.stdout.write("[Failed to send confirmation]\n");
     }
@@ -637,7 +642,7 @@ export async function startCli(): Promise<void> {
       case "memory_recalled":
         spinner.stop();
         process.stdout.write(
-          `\n\x1B[2m[Memory recalled: ${msg.injectedTokens} tokens | lexical ${msg.lexicalHits} | semantic ${msg.semanticHits} | recency ${msg.recencyHits} | entity ${msg.entityHits} | merged ${msg.mergedCount} → selected ${msg.selectedCount}${msg.rerankApplied ? " (reranked)" : ""} | ${msg.provider}/${msg.model} | ${msg.latencyMs}ms]\x1B[0m\n`,
+          `\n\x1B[2m[Memory recalled: ${msg.injectedTokens} tokens | t1 ${msg.tier1Count} t2 ${msg.tier2Count} | semantic ${msg.semanticHits} | recency ${msg.recencyHits} | merged ${msg.mergedCount} → selected ${msg.selectedCount}${msg.sparseVectorUsed ? " (sparse)" : ""} | hybrid ${msg.hybridSearchLatencyMs}ms | ${msg.provider}/${msg.model} | ${msg.latencyMs}ms]\x1B[0m\n`,
         );
         spinner.start("Thinking...");
         break;
@@ -885,17 +890,10 @@ export async function startCli(): Promise<void> {
 
   /** Connect the SSE event stream for the current conversation. */
   async function connectSse(): Promise<void> {
-    const token = readHttpToken();
     const controller = new AbortController();
     sseAbortController = controller;
 
     const url = `/v1/events?conversationKey=${encodeURIComponent(conversationKey)}`;
-    const headers: Record<string, string> = {
-      Accept: "text/event-stream",
-    };
-    if (token) {
-      headers["Authorization"] = `Bearer ${token}`;
-    }
 
     try {
       const response = await httpSend(url, {
@@ -1010,7 +1008,7 @@ export async function startCli(): Promise<void> {
       try {
         if (shouldAutoStartDaemon()) await ensureDaemonRunning();
         // Verify the daemon is healthy before attempting SSE
-        const healthy = await httpHealthCheck(2000);
+        const healthy = await isHttpHealthy();
         if (!healthy) throw new Error("Health check failed");
         await connectSse();
         reconnectDelay = RECONNECT_BASE_DELAY_MS;

package/src/config/__tests__/feature-flag-registry-bundled.test.ts

@@ -0,0 +1,39 @@
+/**
+ * Smoke test: verifies that the bundled feature-flag-registry.json exists
+ * in the assistant source tree and is a valid, non-empty registry.
+ *
+ * The bundled copy is created by `meta/feature-flags/sync-bundled-copies.ts`
+ * (run via postinstall or CI sync step). This test catches cases where the
+ * sync was skipped — e.g. Docker builds that forget to copy the registry.
+ */
+
+import { existsSync, readFileSync, statSync } from "node:fs";
+import { join } from "node:path";
+import { describe, expect, test } from "bun:test";
+
+const BUNDLED_PATH = join(
+  import.meta.dirname ?? __dirname,
+  "..",
+  "feature-flag-registry.json",
+);
+
+describe("bundled feature-flag-registry.json", () => {
+  test("file exists", () => {
+    expect(
+      existsSync(BUNDLED_PATH),
+      `Expected bundled registry at ${BUNDLED_PATH}. Run: bun run meta/feature-flags/sync-bundled-copies.ts`,
+    ).toBe(true);
+  });
+
+  test("file is non-empty and valid JSON", () => {
+    const stat = statSync(BUNDLED_PATH);
+    expect(stat.size).toBeGreaterThan(0);
+
+    const raw = readFileSync(BUNDLED_PATH, "utf-8");
+    const registry = JSON.parse(raw);
+
+    expect(registry.version).toBe(1);
+    expect(Array.isArray(registry.flags)).toBe(true);
+    expect(registry.flags.length).toBeGreaterThan(0);
+  });
+});

package/src/config/bundled-skills/computer-use/TOOLS.json

@@ -301,7 +301,7 @@
     },
     {
       "name": "computer_use_respond",
-      "description": "Respond directly to the user with a text answer. Use this when the user is asking a question (about their schedule, meetings, calendar, etc.) rather than asking you to control the computer.",
+      "description": "Respond to the user with a text answer instead of performing computer actions. Use this when you can answer directly without interacting with the screen.",
       "category": "computer-use",
       "risk": "low",
       "input_schema": {

package/src/config/bundled-skills/computer-use/tools/computer-use-observe.ts

@@ -0,0 +1,12 @@
+import { forwardComputerUseProxyTool } from "../../../../tools/computer-use/skill-proxy-bridge.js";
+import type {
+  ToolContext,
+  ToolExecutionResult,
+} from "../../../../tools/types.js";
+
+export async function run(
+  input: Record<string, unknown>,
+  context: ToolContext,
+): Promise<ToolExecutionResult> {
+  return forwardComputerUseProxyTool("computer_use_observe", input, context);
+}