@vellumai/assistant 0.4.54 → 0.4.55

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/assistant",
-  "version": "0.4.54",
+  "version": "0.4.55",
   "type": "module",
   "exports": {
     ".": "./src/index.ts"

package/src/__tests__/list-messages-attachments.test.ts

@@ -4,7 +4,7 @@
  * Verifies that:
  * - User message image attachments include base64 data for client thumbnail generation
  * - User message non-image attachments stay metadata-only (no base64 blob)
- * - Assistant message attachments remain metadata-only
+ * - Assistant message image attachments include base64 data (same as user messages)
  */
 
 import { mkdtempSync, rmSync } from "node:fs";
@@ -140,7 +140,7 @@ describe("handleListMessages attachments", () => {
     expect(attachments![0].data).toBeUndefined();
   });
 
-  test("assistant message attachments remain metadata-only", async () => {
+  test("assistant message image attachments include base64 data", async () => {
     const conv = createConversation();
     const msg = await addMessage(
       conv.id,
@@ -158,8 +158,8 @@ describe("handleListMessages attachments", () => {
     expect(attachments).toBeDefined();
     expect(attachments).toHaveLength(1);
     expect(attachments![0].mimeType).toBe("image/png");
-    // Assistant attachments should NOT include base64 data (metadata-only)
-    expect(attachments![0].data).toBeUndefined();
+    // Assistant image attachments include base64 data for inline rendering
+    expect(attachments![0].data).toBe(IMAGE_BASE64);
   });
 
   test("user message with mixed attachments only inlines images", async () => {

package/src/cli/commands/bash.ts

@@ -47,6 +47,9 @@ This is a developer debugging tool for inspecting how the assistant invokes and
 observes shell commands. The command runs with the assistant's environment, working
 directory, and process context — not the caller's shell.
 
+Requires the assistant to be running with VELLUM_DEBUG=1. When debug mode is off
+(the default), the assistant ignores bash signal files and returns an error.
+
 The CLI writes the command to signals/bash.<requestId> and polls
 signals/bash.<requestId>.result for the output. The assistant must be running
 for this to work.

package/src/daemon/config-watcher.ts

@@ -20,7 +20,7 @@ import {
   resetAllowlist,
   validateAllowlistFile,
 } from "../security/secret-allowlist.js";
-import { handleBashSignal } from "../signals/bash.js";
+import { handleBashSignal, isDebugMode } from "../signals/bash.js";
 import { handleCancelSignal } from "../signals/cancel.js";
 import { handleConfirmationSignal } from "../signals/confirm.js";
 import { handleConversationUndoSignal } from "../signals/conversation-undo.js";
@@ -237,7 +237,7 @@ export class ConfigWatcher {
     };
 
     const prefixSignalHandlers: Record<string, (filename: string) => void> = {
-      "bash.": handleBashSignal,
+      ...(isDebugMode() ? { "bash.": handleBashSignal } : {}),
     };
 
     try {

package/src/daemon/server.ts

@@ -279,6 +279,7 @@ export class DaemonServer {
   constructor() {
     this.evictor = new SessionEvictor(this.sessions);
     getSubagentManager().sharedRequestTimestamps = this.sharedRequestTimestamps;
+    getSubagentManager().broadcastToAllClients = (msg) => this.broadcast(msg);
     this.evictor.onEvict = (sessionId: string) => {
       getSubagentManager().abortAllForParent(sessionId);
     };

package/src/memory/schema/calls.ts

@@ -196,70 +196,3 @@ export const mediaKeyframes = sqliteTable("media_keyframes", {
   metadata: text("metadata"), // JSON
   createdAt: integer("created_at").notNull(),
 });
-
-export const mediaVisionOutputs = sqliteTable("media_vision_outputs", {
-  id: text("id").primaryKey(),
-  assetId: text("asset_id")
-    .notNull()
-    .references(() => mediaAssets.id, { onDelete: "cascade" }),
-  keyframeId: text("keyframe_id")
-    .notNull()
-    .references(() => mediaKeyframes.id, { onDelete: "cascade" }),
-  analysisType: text("analysis_type").notNull(),
-  output: text("output").notNull(), // JSON
-  confidence: real("confidence"),
-  createdAt: integer("created_at").notNull(),
-});
-
-export const mediaTimelines = sqliteTable("media_timelines", {
-  id: text("id").primaryKey(),
-  assetId: text("asset_id")
-    .notNull()
-    .references(() => mediaAssets.id, { onDelete: "cascade" }),
-  startTime: real("start_time").notNull(),
-  endTime: real("end_time").notNull(),
-  segmentType: text("segment_type").notNull(),
-  attributes: text("attributes"), // JSON
-  confidence: real("confidence"),
-  createdAt: integer("created_at").notNull(),
-});
-
-export const mediaEvents = sqliteTable("media_events", {
-  id: text("id").primaryKey(),
-  assetId: text("asset_id")
-    .notNull()
-    .references(() => mediaAssets.id, { onDelete: "cascade" }),
-  eventType: text("event_type").notNull(),
-  startTime: real("start_time").notNull(),
-  endTime: real("end_time").notNull(),
-  confidence: real("confidence").notNull(),
-  reasons: text("reasons").notNull(), // JSON array
-  metadata: text("metadata"), // JSON
-  createdAt: integer("created_at").notNull(),
-});
-
-export const mediaTrackingProfiles = sqliteTable("media_tracking_profiles", {
-  id: text("id").primaryKey(),
-  assetId: text("asset_id")
-    .notNull()
-    .references(() => mediaAssets.id, { onDelete: "cascade" }),
-  capabilities: text("capabilities").notNull(), // JSON: { [capName]: { enabled, tier } }
-  createdAt: integer("created_at").notNull(),
-});
-
-export const mediaEventFeedback = sqliteTable("media_event_feedback", {
-  id: text("id").primaryKey(),
-  assetId: text("asset_id")
-    .notNull()
-    .references(() => mediaAssets.id, { onDelete: "cascade" }),
-  eventId: text("event_id")
-    .notNull()
-    .references(() => mediaEvents.id, { onDelete: "cascade" }),
-  feedbackType: text("feedback_type").notNull(), // correct | incorrect | boundary_edit | missed
-  originalStartTime: real("original_start_time"),
-  originalEndTime: real("original_end_time"),
-  correctedStartTime: real("corrected_start_time"),
-  correctedEndTime: real("corrected_end_time"),
-  notes: text("notes"),
-  createdAt: integer("created_at").notNull(),
-});

package/src/prompts/system-prompt.ts

@@ -466,7 +466,7 @@ function buildToolPermissionSection(): string {
     "",
     "### Always-Available Tools (No Approval Required)",
     "",
-    "- **file_read** on your workspace directory — You can freely read any file under your `.vellum` workspace at any time. Use this proactively to check files, load context, and inform your responses without asking. **Always use `file_read` for workspace files (IDENTITY.md, USER.md, SOUL.md, etc.), never `host_file_read`.**",
+    "- **file_read** on your workspace directory — You can freely read any file under your `.vellum` workspace at any time. Use this proactively to check files, load context, and inform your responses without asking. **Always use `file_read` for workspace files, never `host_file_read`.** Note: your core prompt files (IDENTITY.md, SOUL.md, USER.md) are already loaded into your system prompt — no need to re-read them at the start of a conversation.",
     "- **web_search** — You can search the web at any time without approval. Use this to look up documentation, current information, or anything you need.",
   ].join("\n");
 }
@@ -706,7 +706,7 @@ function buildLearningMemorySection(): string {
     "",
     "When you make a mistake, hit a dead end, or discover something non-obvious, save it to memory so you don't repeat it.",
     "",
-    'Use `memory_manage` with `op: "save", kind: "identity"` for:',
+    'Use `memory_manage` with `op: "save", kind: "constraint"` for:',
     "- **Mistakes and corrections** — wrong assumptions, failed approaches, gotchas you ran into",
     "- **Discoveries** — undocumented behaviors, surprising API quirks, things that weren't obvious",
     "- **Working solutions** — the approach that actually worked after trial and error",
@@ -715,8 +715,8 @@ function buildLearningMemorySection(): string {
     "The statement should capture both what happened and the takeaway. Write it as advice to your future self.",
     "",
     "Examples:",
-    '- `memory_manage({ op: "save", kind: "identity", subject: "macOS Shortcuts CLI", statement: "shortcuts CLI requires full disk access to export shortcuts — if permission is denied, guide the user to grant it in System Settings rather than retrying." })`',
-    '- `memory_manage({ op: "save", kind: "identity", subject: "Gmail API pagination", statement: "Gmail search returns max 100 results per page. Always check nextPageToken and loop if the user asks for \'all\' messages." })`',
+    '- `memory_manage({ op: "save", kind: "constraint", subject: "macOS Shortcuts CLI", statement: "shortcuts CLI requires full disk access to export shortcuts — if permission is denied, guide the user to grant it in System Settings rather than retrying." })`',
+    '- `memory_manage({ op: "save", kind: "constraint", subject: "Gmail API pagination", statement: "Gmail search returns max 100 results per page. Always check nextPageToken and loop if the user asks for \'all\' messages." })`',
     "",
     "Don't overthink it. If you catch yourself thinking \"I'll remember that for next time,\" save it.",
   ].join("\n");

package/src/prompts/templates/SOUL.md

@@ -34,7 +34,7 @@ You are your own entity, with an identity that’s still forming. You can have t
 
 ## Continuity
 
-Each session, you wake up fresh. Your workspace files and saved memories are your continuity — they're how you persist across conversations. Read them. Update them. Save what matters.
+Each session, you wake up fresh. Your workspace files and saved memories are your continuity — they're how you persist across conversations. Your core prompt files (IDENTITY.md, SOUL.md, USER.md) are already loaded into this conversation — you don't need to read them again. Update them when things change. Save what matters.
 
 If you change this file, tell your user — it's your soul, and they should know.
 

package/src/runtime/auth/__tests__/guard-tests.test.ts

@@ -8,6 +8,7 @@
  * 2. No X-Actor-Token references in production code.
  * 3. No legacy gateway-origin proof in production code.
  * 4. Scope profile contract — every profile resolves to the expected scopes.
+ * 5. CURRENT_POLICY_EPOCH sync — the constant matches across all packages.
  */
 
 import { execSync } from "node:child_process";
@@ -330,3 +331,66 @@ describe("scope profile contract", () => {
     }
   });
 });
+
+// ---------------------------------------------------------------------------
+// 5. CURRENT_POLICY_EPOCH sync across packages
+// ---------------------------------------------------------------------------
+
+describe("CURRENT_POLICY_EPOCH sync", () => {
+  /**
+   * The policy epoch constant is duplicated in assistant, gateway, and cli
+   * packages. This test reads the exported value from each source file and
+   * asserts they are all equal.
+   */
+
+  const EPOCH_FILES = [
+    {
+      label: "assistant",
+      path: resolve(PROJECT_ROOT, "assistant/src/runtime/auth/policy.ts"),
+    },
+    {
+      label: "gateway",
+      path: resolve(PROJECT_ROOT, "gateway/src/auth/policy.ts"),
+    },
+    {
+      label: "cli",
+      path: resolve(PROJECT_ROOT, "cli/src/lib/policy.ts"),
+    },
+  ];
+
+  function extractEpoch(filePath: string): number {
+    const src = readFileSync(filePath, "utf-8");
+    const match = src.match(
+      /export\s+const\s+CURRENT_POLICY_EPOCH\s*=\s*(\d+)/,
+    );
+    if (!match) {
+      throw new Error(`Could not find CURRENT_POLICY_EPOCH in ${filePath}`);
+    }
+    return parseInt(match[1], 10);
+  }
+
+  test("all non-skill packages export the same CURRENT_POLICY_EPOCH value", () => {
+    const values = EPOCH_FILES.map((f) => ({
+      label: f.label,
+      epoch: extractEpoch(f.path),
+    }));
+
+    const canonical = values[0];
+    const mismatches = values.filter((v) => v.epoch !== canonical.epoch);
+
+    if (mismatches.length > 0) {
+      const summary = values
+        .map((v) => `  - ${v.label}: ${v.epoch}`)
+        .join("\n");
+      const message = [
+        "CURRENT_POLICY_EPOCH is out of sync across packages:",
+        "",
+        summary,
+        "",
+        "All three locations must have the same value.",
+        "The canonical source is assistant/src/runtime/auth/policy.ts.",
+      ].join("\n");
+      expect(mismatches, message).toEqual([]);
+    }
+  });
+});

package/src/runtime/routes/session-management-routes.ts

@@ -7,8 +7,10 @@
  * POST   /v1/conversations/:id/cancel     — cancel generation
  * POST   /v1/conversations/:id/undo       — undo last message
  * POST   /v1/conversations/:id/regenerate — regenerate last assistant response
+ * POST   /v1/sessions/reorder             — reorder / pin sessions
  */
 
+import { batchSetDisplayOrders } from "../../memory/conversation-crud.js";
 import { setConversationKeyIfAbsent } from "../../memory/conversation-key-store.js";
 import { getLogger } from "../../util/logger.js";
 import { httpError } from "../http-errors.js";
@@ -159,5 +161,30 @@ export function sessionManagementRouteDefinitions(
         }
       },
     },
+    {
+      endpoint: "sessions/reorder",
+      method: "POST",
+      policyKey: "sessions/reorder",
+      handler: async ({ req }) => {
+        const body = (await req.json()) as {
+          updates?: Array<{
+            sessionId: string;
+            displayOrder?: number;
+            isPinned?: boolean;
+          }>;
+        };
+        if (!Array.isArray(body.updates)) {
+          return httpError("BAD_REQUEST", "Missing updates array", 400);
+        }
+        batchSetDisplayOrders(
+          body.updates.map((u) => ({
+            id: u.sessionId,
+            displayOrder: u.displayOrder ?? null,
+            isPinned: u.isPinned ?? false,
+          })),
+        );
+        return Response.json({ ok: true });
+      },
+    },
   ];
 }

package/src/signals/bash.ts

@@ -8,6 +8,12 @@
  *
  * Per-request filenames avoid dropped commands when overlapping invocations
  * race on the same signal file.
+ *
+ * **Security**: This handler is gated behind the `VELLUM_DEBUG` environment
+ * variable. When debug mode is off (the default), the daemon ignores bash
+ * signal files entirely. This prevents untrusted file-write operations
+ * (e.g. from prompt injection or a compromised skill) from bypassing the
+ * normal tool-approval flow for shell execution.
  */
 
 import { spawn } from "node:child_process";
@@ -19,6 +25,12 @@ import { getWorkspaceDir } from "../util/platform.js";
 
 const log = getLogger("signal:bash");
 
+export function isDebugMode(): boolean {
+  return (
+    process.env.VELLUM_DEBUG === "1" || process.env.VELLUM_DEBUG === "true"
+  );
+}
+
 const DEFAULT_TIMEOUT_MS = 30_000;
 
 interface BashSignalPayload {
@@ -53,6 +65,27 @@ function writeResult(requestId: string, result: BashSignalResult): void {
  * when a matching signal file is created or modified.
  */
 export function handleBashSignal(filename: string): void {
+  if (!isDebugMode()) {
+    log.warn(
+      { filename },
+      "Bash signal ignored — debug mode is not enabled (set VELLUM_DEBUG=1)",
+    );
+    // Write an error result so the CLI gets a clear rejection instead of timing out.
+    const match = filename.match(/^bash\.(.+)$/);
+    if (match) {
+      writeResult(match[1], {
+        requestId: match[1],
+        stdout: "",
+        stderr: "",
+        exitCode: null,
+        timedOut: false,
+        error:
+          "Bash signals are disabled. Start the assistant with VELLUM_DEBUG=1 to enable.",
+      });
+    }
+    return;
+  }
+
   const signalPath = join(getWorkspaceDir(), "signals", filename);
   let raw: string;
   try {

package/src/subagent/manager.ts

@@ -87,6 +87,13 @@ export class SubagentManager {
    */
   sharedRequestTimestamps: number[] = [];
 
+  /**
+   * Broadcast callback from the daemon server.
+   * Set by DaemonServer at startup so subagent sessions can broadcast
+   * to all connected clients (e.g. app_files_changed side-effects).
+   */
+  broadcastToAllClients?: (msg: ServerMessage) => void;
+
   // ── Spawn ───────────────────────────────────────────────────────────
 
   /**
@@ -184,7 +191,7 @@ export class SubagentManager {
       maxTokens,
       wrappedSendToClient,
       workingDir,
-      undefined, // no broadcastToAllClients for subagents
+      this.broadcastToAllClients, // forward parent's broadcast so tool side-effects (e.g. app_files_changed) reach all clients
       memoryPolicy,
     );