@vellumai/assistant 0.4.53 → 0.4.54

package/src/daemon/tls-certs.ts

@@ -1,270 +0,0 @@
-import { createPrivateKey, X509Certificate } from "node:crypto";
-import { chmod, mkdir, readFile, stat, writeFile } from "node:fs/promises";
-import { join } from "node:path";
-
-import { getLogger } from "../util/logger.js";
-import { getRootDir } from "../util/platform.js";
-
-const log = getLogger("tls-certs");
-
-const TLS_DIR = "tls";
-const CERT_FILENAME = "cert.pem";
-const KEY_FILENAME = "key.pem";
-const FINGERPRINT_FILENAME = "fingerprint";
-
-/** Returns the TLS directory path (~/.vellum/tls/). */
-export function getTlsDir(): string {
-  return join(getRootDir(), TLS_DIR);
-}
-
-/** Returns the path to the TLS certificate. */
-export function getTlsCertPath(): string {
-  return join(getTlsDir(), CERT_FILENAME);
-}
-
-/** Returns the path to the TLS private key. */
-export function getTlsKeyPath(): string {
-  return join(getTlsDir(), KEY_FILENAME);
-}
-
-/** Returns the path to the certificate fingerprint file. */
-export function getTlsFingerprintPath(): string {
-  return join(getTlsDir(), FINGERPRINT_FILENAME);
-}
-
-/**
- * Compute the SHA-256 fingerprint of a DER-encoded certificate.
- * Returns hex lowercase, no colons.
- */
-function computeFingerprint(cert: X509Certificate): string {
-  // X509Certificate.fingerprint256 returns colon-separated uppercase hex.
-  // Normalize to lowercase without colons for compact storage and comparison.
-  return cert.fingerprint256.replace(/:/g, "").toLowerCase();
-}
-
-type CertStatus = "valid" | "approaching_expiry" | "invalid";
-
-/**
- * Check whether an existing cert+key pair is valid:
- * - All three files exist (cert, key, fingerprint)
- * - Cert is parseable as X509
- * - Cert is not expired
- * - Fingerprint file exists and matches the cert
- * - Private key is valid and matches the certificate
- *
- * Returns 'valid' if the cert is good, 'approaching_expiry' if it's still usable
- * but expires within 30 days (renewal should be attempted), or 'invalid' if the
- * cert cannot be used at all.
- */
-async function checkCertStatus(): Promise<CertStatus> {
-  const certPath = getTlsCertPath();
-  const keyPath = getTlsKeyPath();
-  const fpPath = getTlsFingerprintPath();
-
-  // Check all three files exist
-  const [certExists, keyExists, fpExists] = await Promise.all([
-    stat(certPath).then(
-      () => true,
-      () => false,
-    ),
-    stat(keyPath).then(
-      () => true,
-      () => false,
-    ),
-    stat(fpPath).then(
-      () => true,
-      () => false,
-    ),
-  ]);
-
-  if (!certExists || !keyExists || !fpExists) {
-    return "invalid";
-  }
-
-  try {
-    const [certPem, keyPem, storedFp] = await Promise.all([
-      readFile(certPath, "utf-8"),
-      readFile(keyPath, "utf-8"),
-      readFile(fpPath, "utf-8"),
-    ]);
-
-    const x509 = new X509Certificate(certPem);
-
-    // Check expiration
-    const now = new Date();
-    const notAfter = new Date(x509.validTo);
-    if (notAfter <= now) {
-      log.info("Existing TLS certificate has expired, will regenerate");
-      return "invalid";
-    }
-
-    // Check fingerprint matches
-    const actualFp = computeFingerprint(x509);
-    if (actualFp !== storedFp.trim()) {
-      log.info("TLS fingerprint mismatch, will regenerate");
-      return "invalid";
-    }
-
-    // Verify the private key is valid and matches the certificate's public key.
-    // This catches corrupted key files or cert/key mismatches that would cause
-    // tls.createServer() to fail at runtime.
-    const privateKey = createPrivateKey(keyPem);
-    if (!x509.checkPrivateKey(privateKey)) {
-      log.info("TLS private key does not match certificate, will regenerate");
-      return "invalid";
-    }
-
-    // Cert is structurally valid — check if it's approaching expiry
-    const thirtyDaysMs = 30 * 24 * 60 * 60 * 1000;
-    if (notAfter.getTime() - now.getTime() < thirtyDaysMs) {
-      log.info("TLS certificate approaching expiry, will attempt renewal");
-      return "approaching_expiry";
-    }
-
-    return "valid";
-  } catch (err) {
-    log.warn(
-      { err },
-      "Failed to validate existing TLS certificate, will regenerate",
-    );
-    return "invalid";
-  }
-}
-
-/**
- * Ensure a self-signed TLS certificate exists for the daemon.
- *
- * Stores files in `~/.vellum/tls/`:
- * - `cert.pem` (0o644) — self-signed certificate
- * - `key.pem` (0o600) — private key
- * - `fingerprint` (0o644) — SHA-256 hex fingerprint (lowercase, no colons)
- *
- * Idempotent: skips generation if a valid cert already exists.
- * Auto-regenerates if the cert is expired, fingerprint is missing/mismatched,
- * or key/cert files are corrupt.
- *
- * Returns the cert, key (PEM strings), and fingerprint.
- */
-export async function ensureTlsCert(): Promise<{
-  cert: string;
-  key: string;
-  fingerprint: string;
-}> {
-  const tlsDir = getTlsDir();
-  const certPath = getTlsCertPath();
-  const keyPath = getTlsKeyPath();
-  const fpPath = getTlsFingerprintPath();
-
-  const status = await checkCertStatus();
-
-  if (status === "valid") {
-    const [cert, key, fingerprint] = await Promise.all([
-      readFile(certPath, "utf-8"),
-      readFile(keyPath, "utf-8"),
-      readFile(fpPath, "utf-8"),
-    ]);
-    log.info("Using existing TLS certificate");
-    return { cert, key, fingerprint: fingerprint.trim() };
-  }
-
-  if (status === "approaching_expiry") {
-    try {
-      // Buffer existing cert/key/fingerprint before attempting renewal.
-      // generateNewCert() overwrites key.pem in-place, so if it fails mid-flight
-      // (e.g., key written but cert generation fails), reading from disk in the
-      // catch block would return a mismatched key/cert pair.
-      const [existingCert, existingKey, existingFp] = await Promise.all([
-        readFile(certPath, "utf-8"),
-        readFile(keyPath, "utf-8"),
-        readFile(fpPath, "utf-8"),
-      ]);
-      try {
-        return await generateNewCert(tlsDir, certPath, keyPath, fpPath);
-      } catch (err) {
-        log.warn(
-          { err },
-          "Proactive TLS renewal failed, continuing with existing certificate",
-        );
-        return {
-          cert: existingCert,
-          key: existingKey,
-          fingerprint: existingFp.trim(),
-        };
-      }
-    } catch (err) {
-      log.warn(
-        { err },
-        "Failed to read existing TLS cert for buffering, attempting regeneration",
-      );
-      return await generateNewCert(tlsDir, certPath, keyPath, fpPath);
-    }
-  }
-
-  // status === 'invalid' — must regenerate, no fallback
-  return await generateNewCert(tlsDir, certPath, keyPath, fpPath);
-}
-
-async function generateNewCert(
-  tlsDir: string,
-  certPath: string,
-  keyPath: string,
-  fpPath: string,
-): Promise<{ cert: string; key: string; fingerprint: string }> {
-  log.info("Generating new self-signed TLS certificate");
-  await mkdir(tlsDir, { recursive: true });
-
-  // Generate RSA 2048 key
-  const keyProc = Bun.spawn(["openssl", "genrsa", "-out", keyPath, "2048"], {
-    stdout: "pipe",
-    stderr: "pipe",
-  });
-  const keyExit = await keyProc.exited;
-  if (keyExit !== 0) {
-    const stderr = await new Response(keyProc.stderr).text();
-    throw new Error(`Failed to generate TLS key: ${stderr}`);
-  }
-
-  // Generate self-signed cert (1-year validity)
-  const certProc = Bun.spawn(
-    [
-      "openssl",
-      "req",
-      "-new",
-      "-x509",
-      "-key",
-      keyPath,
-      "-out",
-      certPath,
-      "-days",
-      "365",
-      "-subj",
-      "/CN=Vellum Daemon",
-    ],
-    { stdout: "pipe", stderr: "pipe" },
-  );
-  const certExit = await certProc.exited;
-  if (certExit !== 0) {
-    const stderr = await new Response(certProc.stderr).text();
-    throw new Error(`Failed to generate TLS certificate: ${stderr}`);
-  }
-
-  // Compute and write fingerprint
-  const certPem = await readFile(certPath, "utf-8");
-  const x509 = new X509Certificate(certPem);
-  const fingerprint = computeFingerprint(x509);
-  await writeFile(fpPath, fingerprint);
-
-  // Set permissions: key is private, cert and fingerprint are readable
-  await Promise.all([
-    chmod(keyPath, 0o600),
-    chmod(certPath, 0o644),
-    chmod(fpPath, 0o644),
-  ]);
-
-  log.info({ fingerprint, certPath }, "TLS certificate generated");
-  return {
-    cert: certPem,
-    key: await readFile(keyPath, "utf-8"),
-    fingerprint,
-  };
-}

package/src/errors.ts

@@ -1,41 +0,0 @@
-/**
- * Central export point for the Vellum error hierarchy.
- *
- * Import from this module to access any named error class:
- *
- *   import { VellumError, BackendUnavailableError, RateLimitError, ... } from '../errors.js';
- *
- * Full hierarchy (defined in util/errors.ts):
- *
- *   VellumError                     — root base
- *   ├─ BackendError                 — infrastructure / external-service failures
- *   │  ├─ BackendUnavailableError   — service not reachable or not configured
- *   │  └─ RateLimitError            — request or token quota exceeded
- *   ├─ UserError                    — user input / policy violations
- *   └─ AssistantError               — assistant-logic errors (carries ErrorCode)
- *      ├─ ProviderError
- *      ├─ ToolError
- *      ├─ PermissionDeniedError
- *      ├─ ConfigError
- *      ├─ DaemonError
- *      ├─ PlatformError
- *      ├─ IntegrityError
- *      └─ IngressBlockedError
- */
-export {
-  AssistantError,
-  BackendError,
-  BackendUnavailableError,
-  ConfigError,
-  DaemonError,
-  ErrorCode,
-  IngressBlockedError,
-  IntegrityError,
-  PermissionDeniedError,
-  PlatformError,
-  ProviderError,
-  RateLimitError,
-  ToolError,
-  UserError,
-  VellumError,
-} from "./util/errors.js";

package/src/events/index.ts

@@ -1,18 +0,0 @@
-export {
-  type AnyEventEnvelope,
-  type AnyEventListener,
-  EventBus,
-  EventBusDisposedError,
-  type EventListener,
-  type EventMap,
-  type Subscription,
-} from "./bus.js";
-export type {
-  AssistantDomainEvents,
-  DaemonDomainEvents,
-  ToolDomainEvents,
-} from "./domain-events.js";
-export { createToolDomainEventPublisher } from "./tool-domain-event-publisher.js";
-export { registerToolMetricsLoggingListener } from "./tool-metrics-listener.js";
-export { registerToolNotificationListener } from "./tool-notification-listener.js";
-export { registerToolTraceListener } from "./tool-trace-listener.js";

package/src/followups/index.ts

@@ -1,10 +0,0 @@
-export {
-  createFollowUp,
-  getFollowUp,
-  getOverdueFollowUps,
-  listFollowUps,
-  markNudged,
-  resolveByThread,
-  resolveFollowUp,
-} from "./followup-store.js";
-export type { FollowUp, FollowUpCreateInput, FollowUpStatus } from "./types.js";

package/src/playbooks/index.ts

@@ -1,10 +0,0 @@
-export {
-  type CompiledPlaybooks,
-  compilePlaybooks,
-  type CompilePlaybooksOptions,
-} from "./playbook-compiler.js";
-export {
-  parsePlaybookStatement,
-  type Playbook,
-  type PlaybookAutonomyLevel,
-} from "./types.js";

package/src/runtime/auth/index.ts

@@ -1,44 +0,0 @@
-/**
- * Auth module barrel export.
- *
- * Re-exports all public types and functions from the auth subsystem
- * so consumers can import from a single path.
- */
-
-export type { BuildAuthContextResult } from "./context.js";
-export { buildAuthContext } from "./context.js";
-export type {
-  CredentialPairResult,
-  RefreshErrorCode,
-  RotateResult,
-} from "./credential-service.js";
-export { mintCredentialPair, rotateCredentials } from "./credential-service.js";
-export {
-  getExternalAssistantId,
-  resetExternalAssistantIdCache,
-} from "./external-assistant-id.js";
-export type { AuthenticateResult } from "./middleware.js";
-export { authenticateRequest } from "./middleware.js";
-export { CURRENT_POLICY_EPOCH, isStaleEpoch } from "./policy.js";
-export type { RoutePolicy } from "./route-policy.js";
-export { enforcePolicy, getPolicy, registerPolicy } from "./route-policy.js";
-export { hasAllScopes, hasScope, resolveScopeProfile } from "./scopes.js";
-export type { ParseSubResult } from "./subject.js";
-export { parseSub } from "./subject.js";
-export type { VerifyResult } from "./token-service.js";
-export {
-  hashToken,
-  initAuthSigningKey,
-  loadOrCreateSigningKey,
-  mintDaemonDeliveryToken,
-  mintToken,
-  verifyToken,
-} from "./token-service.js";
-export type {
-  AuthContext,
-  PrincipalType,
-  Scope,
-  ScopeProfile,
-  TokenAudience,
-  TokenClaims,
-} from "./types.js";

package/src/tasks/candidate-store.ts

@@ -1,95 +0,0 @@
-import { desc, eq, isNull } from "drizzle-orm";
-
-import { getDb } from "../memory/db.js";
-import { taskCandidates } from "../memory/schema.js";
-
-// ── Types ────────────────────────────────────────────────────────────
-
-export interface TaskCandidate {
-  id: string;
-  sourceConversationId: string;
-  compiledTemplate: string;
-  confidence: number | null;
-  requiredTools: string[] | null;
-  createdAt: number;
-  promotedTaskId: string | null;
-}
-
-// ── Helpers ──────────────────────────────────────────────────────────
-
-/** Convert a raw DB row to a TaskCandidate, deserializing the JSON requiredTools field. */
-function rowToCandidate(
-  row: typeof taskCandidates.$inferSelect,
-): TaskCandidate {
-  return {
-    id: row.id,
-    sourceConversationId: row.sourceConversationId,
-    compiledTemplate: row.compiledTemplate,
-    confidence: row.confidence,
-    requiredTools: row.requiredTools ? JSON.parse(row.requiredTools) : null,
-    createdAt: row.createdAt,
-    promotedTaskId: row.promotedTaskId,
-  };
-}
-
-// ── CRUD ─────────────────────────────────────────────────────────────
-
-/** Record a new task candidate from a conversation. */
-export function createCandidate(opts: {
-  sourceConversationId: string;
-  compiledTemplate: string;
-  confidence?: number;
-  requiredTools?: string[];
-}): TaskCandidate {
-  const db = getDb();
-  const now = Date.now();
-  const id = crypto.randomUUID();
-  const row = {
-    id,
-    sourceConversationId: opts.sourceConversationId,
-    compiledTemplate: opts.compiledTemplate,
-    confidence: opts.confidence ?? null,
-    requiredTools: opts.requiredTools
-      ? JSON.stringify(opts.requiredTools)
-      : null,
-    createdAt: now,
-    promotedTaskId: null,
-  };
-  db.insert(taskCandidates).values(row).run();
-  return {
-    ...row,
-    requiredTools: opts.requiredTools ?? null,
-  };
-}
-
-/** List unpromoted candidates (most recent first). */
-export function listUnpromotedCandidates(limit?: number): TaskCandidate[] {
-  const db = getDb();
-  const query = db
-    .select()
-    .from(taskCandidates)
-    .where(isNull(taskCandidates.promotedTaskId))
-    .orderBy(desc(taskCandidates.createdAt));
-  const rows = limit ? query.limit(limit).all() : query.all();
-  return rows.map(rowToCandidate);
-}
-
-/** Mark a candidate as promoted to a real task. */
-export function promoteCandidate(candidateId: string, taskId: string): void {
-  const db = getDb();
-  db.update(taskCandidates)
-    .set({ promotedTaskId: taskId })
-    .where(eq(taskCandidates.id, candidateId))
-    .run();
-}
-
-/** Get a candidate by ID. */
-export function getCandidate(id: string): TaskCandidate | undefined {
-  const db = getDb();
-  const row = db
-    .select()
-    .from(taskCandidates)
-    .where(eq(taskCandidates.id, id))
-    .get();
-  return row ? rowToCandidate(row) : undefined;
-}