@vellumai/assistant 0.4.53 → 0.4.55

package/src/tools/registry.ts

@@ -1,4 +1,3 @@
-import { RiskLevel } from "../permissions/types.js";
 import type { ToolDefinition } from "../providers/types.js";
 import { getLogger } from "../util/logger.js";
 import { coreAppProxyTools } from "./apps/definitions.js";
@@ -8,7 +7,7 @@ import { hostFileEditTool } from "./host-filesystem/edit.js";
 import { hostFileReadTool } from "./host-filesystem/read.js";
 import { hostFileWriteTool } from "./host-filesystem/write.js";
 import { hostShellTool } from "./host-terminal/host-shell.js";
-import type { Tool, ToolContext, ToolExecutionResult } from "./types.js";
+import type { Tool } from "./types.js";
 import { allUiSurfaceTools } from "./ui-surface/definitions.js";
 import { registerUiSurfaceTools } from "./ui-surface/registry.js";
 
@@ -26,68 +25,6 @@ let coreToolsSnapshot: Map<string, Tool> | null = null;
 // Tools are only removed from the global registry when this drops to 0.
 const skillRefCount = new Map<string, number>();
 
-export interface LazyToolDescriptor {
-  name: string;
-  description: string;
-  category: string;
-  defaultRiskLevel: RiskLevel;
-  definition: ToolDefinition;
-  loader: () => Promise<Tool>;
-}
-
-/**
- * A tool wrapper that exposes metadata eagerly but defers module loading
- * and execute() initialization until the tool is first invoked.
- */
-class LazyTool implements Tool {
-  name: string;
-  description: string;
-  category: string;
-  defaultRiskLevel: RiskLevel;
-  private definition: ToolDefinition;
-  private loader: () => Promise<Tool>;
-  private resolvedTool: Tool | null = null;
-  private loadPromise: Promise<Tool> | null = null;
-
-  constructor(descriptor: LazyToolDescriptor) {
-    this.name = descriptor.name;
-    this.description = descriptor.description;
-    this.category = descriptor.category;
-    this.defaultRiskLevel = descriptor.defaultRiskLevel;
-    this.definition = descriptor.definition;
-    this.loader = descriptor.loader;
-  }
-
-  getDefinition(): ToolDefinition {
-    return this.definition;
-  }
-
-  async execute(
-    input: Record<string, unknown>,
-    context: ToolContext,
-  ): Promise<ToolExecutionResult> {
-    if (!this.resolvedTool) {
-      if (!this.loadPromise) {
-        // Assign loadPromise synchronously before the async loader begins,
-        // so concurrent callers see the guard immediately.
-        const promise = this.loader()
-          .then((tool) => {
-            this.resolvedTool = tool;
-            log.info({ name: this.name }, "Lazy tool loaded");
-            return tool;
-          })
-          .catch((err) => {
-            this.loadPromise = null;
-            throw err;
-          });
-        this.loadPromise = promise;
-      }
-      await this.loadPromise;
-    }
-    return this.resolvedTool!.execute(input, context);
-  }
-}
-
 export function registerTool(tool: Tool): void {
   const existing = tools.get(tool.name);
   if (existing) {
@@ -98,11 +35,6 @@ export function registerTool(tool: Tool): void {
   log.info({ name: tool.name, category: tool.category }, "Tool registered");
 }
 
-export function registerLazyTool(descriptor: LazyToolDescriptor): void {
-  const lazy = new LazyTool(descriptor);
-  registerTool(lazy);
-}
-
 export function getTool(name: string): Tool | undefined {
   return tools.get(name);
 }
@@ -250,27 +182,6 @@ export function unregisterAllMcpTools(): void {
   }
 }
 
-/**
- * Unregister all tools belonging to a specific MCP server.
- */
-export function unregisterMcpTools(serverId: string): void {
-  for (const [name, tool] of tools) {
-    if (tool.origin === "mcp" && tool.ownerMcpServerId === serverId) {
-      tools.delete(name);
-      log.info({ name, serverId }, "MCP tool unregistered");
-    }
-  }
-}
-
-/**
- * Return the names of all currently registered MCP-origin tools.
- */
-export function getMcpToolNames(): string[] {
-  return Array.from(tools.values())
-    .filter((t) => t.origin === "mcp")
-    .map((t) => t.name);
-}
-
 /**
  * Return tool definitions for all currently registered MCP-origin tools.
  * Used by the session resolver to dynamically pick up MCP tools that
@@ -312,7 +223,7 @@ export function getAllToolDefinitions(): ToolDefinition[] {
 }
 
 export async function initializeTools(): Promise<void> {
-  const { loadEagerModules, eagerModuleToolNames, explicitTools, lazyTools } =
+  const { loadEagerModules, eagerModuleToolNames, explicitTools } =
     await import("./tool-manifest.js");
 
   // Capture tool names already in the registry before any manifest
@@ -343,24 +254,18 @@ export async function initializeTools(): Promise<void> {
   registerUiSurfaceTools();
   registerAppTools();
 
-  // Lazy tools — defer module loading until first invocation.
-  for (const descriptor of lazyTools) {
-    registerLazyTool(descriptor);
-  }
-
   // Snapshot core tools for __resetRegistryForTesting().  We include every
   // non-skill tool that was registered by the manifest, while excluding
   // arbitrary test tools that were registered before init.
   //
   // A pre-existing tool is included only if it is a known manifest tool
-  // (declared in eagerModuleToolNames, explicitTools, lazyTools, or
-  // hostTools).  This handles ESM cache hits where eager-module tools
-  // are already in the registry before init ran.
+  // (declared in eagerModuleToolNames, explicitTools, or hostTools).
+  // This handles ESM cache hits where eager-module tools are already in
+  // the registry before init ran.
   if (!coreToolsSnapshot) {
     const manifestToolNames = new Set<string>([
       ...eagerModuleToolNames,
       ...explicitTools.map((t: Tool) => t.name),
-      ...lazyTools.map((t: LazyToolDescriptor) => t.name),
       ...hostTools.map((t: Tool) => t.name),
       ...allComputerUseTools.map((t: Tool) => t.name),
       ...allUiSurfaceTools.map((t: Tool) => t.name),

package/src/tools/terminal/parser.ts

@@ -133,7 +133,11 @@ const initGuard = new PromiseGuard<void>();
  *   2. Next to the compiled binary (process.execPath)
  * This matches the pattern used for compiled Bun binary asset resolution.
  */
-function findWasmPath(pkg: string, file: string): string {
+function findWasmPath(
+  pkg: string,
+  file: string,
+  resolvedPkgDir?: string,
+): string {
   const dir = import.meta.dirname ?? __dirname;
 
   // In compiled Bun binaries, import.meta.dirname points into the virtual
@@ -154,9 +158,16 @@ function findWasmPath(pkg: string, file: string): string {
     return execDirPath;
   }
 
-  // Use module resolution to find the package. This handles hoisted
-  // dependencies (e.g. global bun installs where web-tree-sitter is at the
-  // top-level node_modules rather than nested under @vellumai/assistant).
+  // Use a pre-resolved package directory when available (callers pass this so
+  // that static-analysis tools like knip can see the literal specifier).
+  if (resolvedPkgDir) {
+    const resolvedPath = join(resolvedPkgDir, file);
+    if (existsSync(resolvedPath)) return resolvedPath;
+  }
+
+  // Fallback: dynamic module resolution. This handles hoisted dependencies
+  // (e.g. global bun installs where web-tree-sitter is at the top-level
+  // node_modules rather than nested under @vellumai/assistant).
   try {
     const resolved = require.resolve(`${pkg}/package.json`);
     const pkgDir = dirname(resolved);
@@ -184,13 +195,32 @@ async function ensureParser(): Promise<Parser> {
   if (parserInstance) return parserInstance;
 
   await initGuard.run(async () => {
+    let webTreeSitterDir: string | undefined;
+    try {
+      webTreeSitterDir = dirname(
+        require.resolve("web-tree-sitter/package.json"),
+      );
+    } catch {
+      // Handled by findWasmPath fallbacks
+    }
+    let treeSitterBashDir: string | undefined;
+    try {
+      treeSitterBashDir = dirname(
+        require.resolve("tree-sitter-bash/package.json"),
+      );
+    } catch {
+      // Handled by findWasmPath fallbacks
+    }
+
     const treeSitterWasm = findWasmPath(
       "web-tree-sitter",
       "web-tree-sitter.wasm",
+      webTreeSitterDir,
     );
     const bashWasmPath = findWasmPath(
       "tree-sitter-bash",
       "tree-sitter-bash.wasm",
+      treeSitterBashDir,
     );
 
     verifyWasmChecksum(treeSitterWasm, "web-tree-sitter.wasm");

package/src/tools/tool-manifest.ts

@@ -15,7 +15,6 @@ import { fileWriteTool } from "./filesystem/write.js";
 import { memoryManageTool, memoryRecallTool } from "./memory/register.js";
 import { webFetchTool } from "./network/web-fetch.js";
 import { webSearchTool } from "./network/web-search.js";
-import type { LazyToolDescriptor } from "./registry.js";
 import { skillExecuteTool } from "./skills/execute.js";
 import { skillLoadTool } from "./skills/load.js";
 import { requestSystemPermissionTool } from "./system/request-permission.js";
@@ -85,12 +84,3 @@ export const explicitTools: Tool[] = [
   memoryRecallTool,
   credentialStoreTool,
 ];
-
-// ── Lazy tool descriptors ───────────────────────────────────────────
-// Tools that defer module loading until first invocation.
-// bash was previously lazy but is now eagerly registered via side-effect
-// imports above, preserving its full definition (including the `reason` field)
-// and fixing bun --compile module-not-found crashes.
-// swarm_delegate has been moved to the orchestration bundled skill.
-
-export const lazyTools: LazyToolDescriptor[] = [];

package/src/usage/actors.ts

@@ -10,15 +10,3 @@ export type UsageActor =
   | "suggestion_generator"
   | "computer_use_agent"
   | "memory_embedding";
-
-/** All valid actor identifiers (useful for runtime validation). */
-export const USAGE_ACTORS: readonly UsageActor[] = [
-  "main_agent",
-  "context_compactor",
-  "task_classifier",
-  "title_generator",
-  "ambient_analyzer",
-  "suggestion_generator",
-  "computer_use_agent",
-  "memory_embedding",
-] as const;

package/src/util/canonicalize-identity.ts

@@ -44,12 +44,3 @@ export function canonicalizeInboundIdentity(
 
   return trimmed;
 }
-
-/**
- * Check whether a channel uses phone-number-based identity.
- * Useful for call sites that need to know whether E.164 normalization
- * applies without re-importing the channel set.
- */
-export function isPhoneChannel(channel: ChannelId): boolean {
-  return PHONE_CHANNELS.has(channel);
-}

package/src/util/errors.ts

@@ -20,9 +20,6 @@ export enum ErrorCode {
   // WASM integrity check failures
   INTEGRITY_ERROR = "INTEGRITY_ERROR",
 
-  // Rate limit exceeded
-  RATE_LIMIT_ERROR = "RATE_LIMIT_ERROR",
-
   // Secret detected in inbound content
   INGRESS_BLOCKED = "INGRESS_BLOCKED",
 

package/src/util/platform.ts

@@ -284,21 +284,38 @@ export function isIOSPairingEnabled(): boolean {
 }
 
 /**
- * Returns the path to the platform API token file (~/.vellum/platform-token).
- * This token is the X-Session-Token used to authenticate with the Vellum
- * Platform API (e.g. assistant.vellum.ai).
+ * Returns the XDG-compliant path for the platform API token
+ * (~/.config/vellum/platform-token). This is the canonical location
+ * shared by the CLI and desktop app.
+ */
+function getXdgPlatformTokenPath(): string {
+  const configHome =
+    process.env.XDG_CONFIG_HOME?.trim() || join(homedir(), ".config");
+  return join(configHome, "vellum", "platform-token");
+}
+
+/**
+ * Returns the instance-scoped path to the platform API token file
+ * (~/.vellum/platform-token). Used as a fallback for local assistant
+ * instances that may have the token written here by the desktop app.
  */
 export function getPlatformTokenPath(): string {
   return join(getRootDir(), "platform-token");
 }
 
 /**
- * Read the platform API token from disk. Returns null if the file
- * doesn't exist or can't be read.
+ * Read the platform API token from disk. Checks the instance-scoped
+ * path first, then falls back to the XDG-compliant shared location.
+ * Returns null if neither file exists or can be read.
  */
 export function readPlatformToken(): string | null {
   try {
     return readFileSync(getPlatformTokenPath(), "utf-8").trim();
+  } catch {
+    // Instance-scoped token not found; try XDG path
+  }
+  try {
+    return readFileSync(getXdgPlatformTokenPath(), "utf-8").trim();
   } catch {
     return null;
   }
@@ -321,7 +338,7 @@ export function getHistoryPath(): string {
 }
 
 export function getHooksDir(): string {
-  return getWorkspaceHooksDir();
+  return join(getRootDir(), "hooks");
 }
 
 // --- Workspace path primitives ---
@@ -369,7 +386,7 @@ export function ensureDataDir(): void {
     join(root, "protected"),
     // Workspace dirs
     workspace,
-    join(workspace, "hooks"),
+    join(root, "hooks"),
     join(workspace, "skills"),
     join(workspace, "embedding-models"),
     // Data sub-dirs under workspace

package/src/util/pricing.ts

@@ -264,41 +264,3 @@ export function resolvePricing(
     createDirectUsage(inputTokens, outputTokens),
   );
 }
-
-/**
- * Resolve pricing with optional custom model overrides checked first.
- * Overrides are matched by provider (exact) and modelPattern (prefix match).
- * Falls back to the built-in catalog if no override matches.
- */
-export function resolvePricingWithOverrides(
-  provider: string,
-  model: string,
-  inputTokens: number,
-  outputTokens: number,
-  overrides?: ModelPricingOverride[],
-): PricingResult {
-  return resolvePricingForUsageWithOverrides(
-    provider,
-    model,
-    createDirectUsage(inputTokens, outputTokens),
-    overrides,
-  );
-}
-
-/**
- * Estimate cost in USD for the given token counts, provider, and model.
- * Returns 0 if the provider/model combination is not in the pricing table
- * (e.g. Ollama local models).
- */
-export function estimateCost(
-  inputTokens: number,
-  outputTokens: number,
-  model: string,
-  provider: string,
-): number {
-  const result = resolvePricing(provider, model, inputTokens, outputTokens);
-  if (result.pricingStatus === "priced" && result.estimatedCostUsd != null) {
-    return result.estimatedCostUsd;
-  }
-  return 0;
-}

package/src/watcher/constants.ts

@@ -1,11 +1,4 @@
 /** Default poll interval for watchers (60 seconds). */
 export const DEFAULT_POLL_INTERVAL_MS = 60_000;
-
-/** Base delay for exponential backoff on consecutive errors. */
-export const BACKOFF_BASE_MS = 30_000;
-
-/** Maximum backoff delay (1 hour). */
-export const MAX_BACKOFF_MS = 60 * 60 * 1000;
-
 /** Disable watcher after this many consecutive errors. */
 export const MAX_CONSECUTIVE_ERRORS = 5;

package/src/watcher/providers/linear.ts

@@ -402,7 +402,7 @@ function getStateCache(watcherKey: string): Map<string, string> {
  * disabled. Prevents unbounded growth of `knownIssueStateIdsByWatcher` in
  * environments that create and delete watchers frequently (watcher churn).
  */
-export function clearLinearStateCache(watcherKey: string): void {
+function clearLinearStateCache(watcherKey: string): void {
   knownIssueStateIdsByWatcher.delete(watcherKey);
   lastSeenAssignedIdsByWatcher.delete(watcherKey);
 }

package/src/work-items/work-item-store.ts

@@ -147,7 +147,7 @@ export function deleteWorkItem(id: string): void {
 
 // ── Queue Removal ───────────────────────────────────────────────────
 
-export interface RemoveWorkItemResult {
+interface RemoveWorkItemResult {
   success: boolean;
   title: string;
   message: string;
@@ -177,7 +177,7 @@ export function removeWorkItemFromQueue(id: string): RemoveWorkItemResult {
 
 // ── Selectors / Helpers ─────────────────────────────────────────────
 
-export interface WorkItemSelector {
+interface WorkItemSelector {
   workItemId?: string;
   taskId?: string;
   title?: string;
@@ -356,9 +356,9 @@ export function resolveWorkItem(
 
 // ── Entity Identification ───────────────────────────────────────────
 
-export type EntityType = "task_template" | "work_item" | "unknown";
+type EntityType = "task_template" | "work_item" | "unknown";
 
-export interface EntityIdentification {
+interface EntityIdentification {
   type: EntityType;
   id: string;
   title?: string;

package/src/workspace/commit-message-provider.ts

@@ -33,7 +33,7 @@ export interface CommitMessageProvider {
 /**
  * Build a short summary of what changed from a list of file paths.
  */
-export function buildChangeSummary(files: string[]): string {
+function buildChangeSummary(files: string[]): string {
   if (files.length === 0) {
     return "workspace changes";
   }

package/src/workspace/git-service.ts

@@ -1,5 +1,11 @@
 import { execFile } from "node:child_process";
-import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import {
+  existsSync,
+  readFileSync,
+  statSync,
+  unlinkSync,
+  writeFileSync,
+} from "node:fs";
 import { join } from "node:path";
 import { promisify } from "node:util";
 
@@ -252,6 +258,33 @@ export class WorkspaceGitService {
     );
   }
 
+  /** Age threshold (ms) beyond which an index.lock is considered stale. */
+  private static readonly LOCK_STALE_THRESHOLD_MS = 30_000;
+
+  /**
+   * Remove `.git/index.lock` only if it is stale — older than
+   * {@link LOCK_STALE_THRESHOLD_MS}. A recently-created lock may belong to a
+   * concurrent git process outside our mutex (e.g. a user-initiated CLI
+   * command), so we leave it alone.
+   */
+  private cleanStaleLockFile(): void {
+    const lockPath = join(this.workspaceDir, ".git", "index.lock");
+    try {
+      const stat = statSync(lockPath);
+      const ageMs = Date.now() - stat.mtimeMs;
+      if (ageMs < WorkspaceGitService.LOCK_STALE_THRESHOLD_MS) {
+        log.debug(
+          `index.lock exists but is only ${Math.round(ageMs / 1000)}s old — leaving it`,
+        );
+        return;
+      }
+      unlinkSync(lockPath);
+      log.debug(`Removed stale index.lock (${Math.round(ageMs / 1000)}s old)`);
+    } catch {
+      // File doesn't exist or can't be stat'd/removed — move on.
+    }
+  }
+
   /**
    * Ensure the git repository is initialized.
    * Idempotent: safe to call multiple times.
@@ -298,6 +331,11 @@ export class WorkspaceGitService {
 
           const gitDir = join(this.workspaceDir, ".git");
 
+          // Clean up stale lock files before any git operations.
+          if (existsSync(gitDir)) {
+            this.cleanStaleLockFile();
+          }
+
           if (existsSync(gitDir)) {
             // Validate existing repo is not corrupted before marking as ready.
             // A corrupted .git directory (e.g. missing HEAD) would cause all
@@ -440,6 +478,8 @@ export class WorkspaceGitService {
     await this.ensureInitialized();
 
     await this.mutex.withLock(async () => {
+      this.cleanStaleLockFile();
+
       // Stage all changes
       await this.execGit(["add", "-A"]);
 
@@ -513,6 +553,8 @@ export class WorkspaceGitService {
 
     try {
       const result = await this.mutex.withLock(async () => {
+        this.cleanStaleLockFile();
+
         // Re-check breaker under lock: a queued call that started before the
         // breaker opened should not proceed with expensive git work now that
         // the breaker is open.
@@ -853,6 +895,7 @@ export class WorkspaceGitService {
   ): Promise<void> {
     await this.ensureInitialized();
     await this.mutex.withLock(async () => {
+      this.cleanStaleLockFile();
       await fn((args) => this.execGit(args));
     });
   }

package/src/workspace/provider-commit-message-generator.ts

@@ -141,7 +141,7 @@ export class ProviderCommitMessageGenerator {
     // Step 2: Resolve configured provider using fail-open semantics.
     // If nothing is resolvable, differentiate likely missing-key cases from
     // true registry/init failures.
-    const resolved = resolveConfiguredProvider();
+    const resolved = await resolveConfiguredProvider();
     if (!resolved) {
       const candidates = getProviderCandidates(config);
       const hasAnyKeylessCandidate = candidates.some((name) =>