@vellumai/assistant 0.5.10 → 0.5.12

package/src/daemon/handlers/skills.ts

@@ -25,6 +25,9 @@ import {
   userMessage,
 } from "../../providers/provider-send-message.js";
 import { isTextMimeType as isTextMime } from "../../runtime/routes/workspace-utils.js";
+import { getCatalog } from "../../skills/catalog-cache.js";
+import { installSkillLocally } from "../../skills/catalog-install.js";
+import { filterByQuery } from "../../skills/catalog-search.js";
 import {
   clawhubCheckUpdates,
   clawhubInspect,
@@ -232,8 +235,9 @@ export interface SkillListItem {
   description: string;
   emoji?: string;
   homepage?: string;
-  source: "bundled" | "managed" | "workspace" | "clawhub" | "extra";
+  source: "bundled" | "managed" | "workspace" | "clawhub" | "extra" | "catalog";
   state: "enabled" | "disabled";
+  installStatus: "bundled" | "installed" | "available";
   updateAvailable: boolean;
   provenance: SkillProvenance;
 }
@@ -259,6 +263,9 @@ export function listSkills(_ctx: SkillOperationContext): SkillListItem[] {
     homepage: r.summary.homepage,
     source: r.summary.source,
     state: r.state,
+    installStatus: (r.summary.source === "bundled"
+      ? "bundled"
+      : "installed") as SkillListItem["installStatus"],
     updateAvailable: false,
     provenance: resolveProvenance(r.summary),
   }));
@@ -275,6 +282,54 @@ export function listSkills(_ctx: SkillOperationContext): SkillListItem[] {
   return items;
 }
 
+/**
+ * List installed skills merged with available catalog skills.
+ * Installed skills take precedence when deduplicating by ID.
+ */
+export async function listSkillsWithCatalog(
+  ctx: SkillOperationContext,
+): Promise<SkillListItem[]> {
+  const installed = listSkills(ctx);
+  const installedIds = new Set(installed.map((s) => s.id));
+
+  let catalogSkills: import("../../skills/catalog-install.js").CatalogSkill[];
+  try {
+    catalogSkills = await getCatalog();
+  } catch {
+    // If catalog fetch fails, return installed-only
+    return installed;
+  }
+
+  // All entries from the Vellum platform API are first-party.
+  // Create SkillListItems for catalog skills not already installed.
+  const available: SkillListItem[] = catalogSkills
+    .filter((cs) => !installedIds.has(cs.id))
+    .map((cs) => ({
+      id: cs.id,
+      name: cs.metadata?.vellum?.["display-name"] ?? cs.name,
+      description: cs.description,
+      emoji: cs.emoji,
+      homepage: undefined,
+      source: "catalog" as const,
+      state: "disabled" as const,
+      installStatus: "available" as const,
+      updateAvailable: false,
+      provenance: { kind: "first-party" as const, provider: "Vellum" },
+    }));
+
+  const merged = [...installed, ...available];
+
+  // Sort using the same provenance sort + alphabetical
+  merged.sort((a, b) => {
+    const rankDiff =
+      provenanceSortRank(a.provenance) - provenanceSortRank(b.provenance);
+    if (rankDiff !== 0) return rankDiff;
+    return a.name.localeCompare(b.name);
+  });
+
+  return merged;
+}
+
 /** Look up a single skill by ID from the resolved catalog, returning its SkillListItem. */
 function findSkillById(
   skillId: string,
@@ -294,6 +349,7 @@ function findSkillById(
     homepage: r.summary.homepage,
     source: r.summary.source,
     state: r.state,
+    installStatus: r.summary.source === "bundled" ? "bundled" : "installed",
     updateAvailable: false,
     provenance: resolveProvenance(r.summary),
   };
@@ -519,6 +575,43 @@ export async function installSkill(
       return { success: true };
     }
 
+    // Check the Vellum catalog (first-party skills hosted on the platform)
+    try {
+      const vellumCatalog = await getCatalog();
+      const catalogEntry = vellumCatalog.find((s) => s.id === spec.slug);
+      if (catalogEntry) {
+        await installSkillLocally(spec.slug, catalogEntry, true);
+
+        // Reload skill catalog so the newly installed skill is picked up
+        loadSkillCatalog();
+
+        // Auto-enable the newly installed catalog skill
+        try {
+          const raw = loadRawConfig();
+          ensureSkillEntry(raw, spec.slug).enabled = true;
+          saveConfigWithSuppression(raw, ctx);
+          ctx.broadcast({
+            type: "skills_state_changed",
+            name: spec.slug,
+            state: "enabled",
+          });
+        } catch (err) {
+          log.warn(
+            { err, skillId: spec.slug },
+            "Failed to auto-enable installed catalog skill",
+          );
+        }
+
+        return { success: true };
+      }
+    } catch (err) {
+      // If catalog lookup/install fails, fall through to clawhub
+      log.warn(
+        { err, skillId: spec.slug },
+        "Vellum catalog install failed, falling back to community registry",
+      );
+    }
+
     // Install from clawhub (community)
     const result = await clawhubInstall(spec.slug, { version: spec.version });
     if (!result.success) {
@@ -660,8 +753,60 @@ export async function searchSkills(
   { success: true; data: unknown } | { success: false; error: string }
 > {
   try {
-    const result = await clawhubSearch(query);
-    return { success: true, data: result };
+    // Search the loaded skill catalog (bundled + installed) for matches
+    const catalog = loadSkillCatalog();
+    const catalogMatches = filterByQuery(catalog, query, [
+      (s) => s.id,
+      (s) => s.displayName,
+      (s) => s.description,
+    ]);
+
+    // Shape that matches ClawhubSearchResultItem so the client
+    // (Swift ClawhubSkillItem) can decode results uniformly.
+    interface SearchItem {
+      name: string;
+      slug: string;
+      description: string;
+      author: string;
+      stars: number;
+      installs: number;
+      version: string;
+      createdAt: number;
+      source: "vellum" | "clawhub";
+    }
+
+    const catalogItems: SearchItem[] = catalogMatches.map((s) => ({
+      name: s.displayName,
+      slug: s.id,
+      description: s.description,
+      author: "Vellum",
+      stars: 0,
+      installs: 0,
+      version: "",
+      createdAt: 0,
+      source: "vellum" as const,
+    }));
+
+    // Search the community registry (non-fatal on failure)
+    let communitySkills: SearchItem[] = [];
+    try {
+      const communityResult = await clawhubSearch(query);
+      communitySkills = communityResult.skills;
+    } catch (err) {
+      log.warn(
+        { err },
+        "clawhub search failed, returning catalog-only results",
+      );
+    }
+
+    // Deduplicate: catalog takes precedence when slugs collide
+    const catalogSlugs = new Set(catalogItems.map((s) => s.slug));
+    const deduped = communitySkills.filter((s) => !catalogSlugs.has(s.slug));
+
+    return {
+      success: true,
+      data: { skills: [...catalogItems, ...deduped] },
+    };
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
     log.error({ err }, "Failed to search skills");

package/src/daemon/host-bash-proxy.ts

@@ -86,6 +86,14 @@ export class HostBashProxy {
             clearTimeout(timer);
             this.pending.delete(requestId);
             this.onInternalResolve?.(requestId);
+            try {
+              this.sendToClient({
+                type: "host_bash_cancel",
+                requestId,
+              } as ServerMessage);
+            } catch {
+              // Best-effort cancel notification — connection may already be closed.
+            }
             resolve(formatShellOutput("", "Aborted", null, false, 0));
           }
         };
@@ -144,6 +152,14 @@ export class HostBashProxy {
     for (const [requestId, entry] of this.pending) {
       clearTimeout(entry.timer);
       this.onInternalResolve?.(requestId);
+      try {
+        this.sendToClient({
+          type: "host_bash_cancel",
+          requestId,
+        } as ServerMessage);
+      } catch {
+        // Best-effort cancel notification — connection may already be closed.
+      }
       entry.reject(
         new AssistantError(
           "Host bash proxy disposed",

package/src/daemon/host-cu-proxy.ts

@@ -170,6 +170,14 @@ export class HostCuProxy {
             clearTimeout(timer);
             this.pending.delete(requestId);
             this.onInternalResolve?.(requestId);
+            try {
+              this.sendToClient({
+                type: "host_cu_cancel",
+                requestId,
+              } as ServerMessage);
+            } catch {
+              // Best-effort cancel notification — connection may already be closed.
+            }
             resolve({ content: "Aborted", isError: true });
           }
         };
@@ -381,6 +389,14 @@ export class HostCuProxy {
     for (const [requestId, entry] of this.pending) {
       clearTimeout(entry.timer);
       this.onInternalResolve?.(requestId);
+      try {
+        this.sendToClient({
+          type: "host_cu_cancel",
+          requestId,
+        } as ServerMessage);
+      } catch {
+        // Best-effort cancel notification — connection may already be closed.
+      }
       entry.reject(
         new AssistantError("Host CU proxy disposed", ErrorCode.INTERNAL_ERROR),
       );

package/src/daemon/host-file-proxy.ts

@@ -82,6 +82,14 @@ export class HostFileProxy {
             clearTimeout(timer);
             this.pending.delete(requestId);
             this.onInternalResolve?.(requestId);
+            try {
+              this.sendToClient({
+                type: "host_file_cancel",
+                requestId,
+              } as ServerMessage);
+            } catch {
+              // Best-effort cancel notification — connection may already be closed.
+            }
             resolve({ content: "Aborted", isError: true });
           }
         };
@@ -123,6 +131,14 @@ export class HostFileProxy {
     for (const [requestId, entry] of this.pending) {
       clearTimeout(entry.timer);
       this.onInternalResolve?.(requestId);
+      try {
+        this.sendToClient({
+          type: "host_file_cancel",
+          requestId,
+        } as ServerMessage);
+      } catch {
+        // Best-effort cancel notification — connection may already be closed.
+      }
       entry.reject(
         new AssistantError(
           "Host file proxy disposed",

package/src/daemon/lifecycle.ts

@@ -77,7 +77,11 @@ import {
 import { ensureVellumGuardianBinding } from "../runtime/guardian-vellum-migration.js";
 import { RuntimeHttpServer } from "../runtime/http-server.js";
 import { startScheduler } from "../schedule/scheduler.js";
-import { setCesClient } from "../security/secure-keys.js";
+import {
+  onCesClientChanged,
+  setCesClient,
+  setCesReconnect,
+} from "../security/secure-keys.js";
 import { seedCatalogSkillMemories } from "../skills/skill-memory.js";
 import { UsageTelemetryReporter } from "../telemetry/usage-telemetry-reporter.js";
 import { getDeviceId } from "../util/device-id.js";
@@ -109,6 +113,7 @@ import {
   createGuardianActionCopyGenerator,
   createGuardianFollowUpConversationGenerator,
 } from "./guardian-action-generators.js";
+import { backfillSlackInjectionTemplates } from "./handlers/config-slack-channel.js";
 import {
   cancelGeneration,
   clearAllConversations,
@@ -282,7 +287,7 @@ export async function runDaemon(): Promise<void> {
     log.info("Daemon startup: workspace migrations complete");
 
     // Backfill oauth_connection rows for manual-token providers (Telegram,
-    // Slack channel) that already have keychain credentials from before the
+    // Slack channel) that already have stored credentials from before the
     // oauth_connection migration. Safe to call on every startup.
     //
     // Must run AFTER workspace migrations.
@@ -297,6 +302,17 @@ export async function runDaemon(): Promise<void> {
       );
     }
 
+    // Backfill injection templates on Slack bot token credentials so the
+    // credential proxy can inject Authorization headers. Safe on every startup.
+    try {
+      backfillSlackInjectionTemplates();
+    } catch (err) {
+      log.warn(
+        { err },
+        "Slack injection template backfill failed — continuing startup",
+      );
+    }
+
     // Now that workspace migrations have run (including 003-seed-device-id
     // which may copy the legacy installationId into device.json), it is safe
     // to read the device ID and set the Sentry tag.
@@ -483,6 +499,41 @@ export async function runDaemon(): Promise<void> {
           setCesClient(client);
         }
       }
+
+      // Register CES reconnection callback so the credential layer can
+      // re-establish the connection when the transport dies, instead of
+      // falling back to the encrypted file store.
+      if (cesResult.processManager) {
+        const pm = cesResult.processManager;
+        setCesReconnect(async () => {
+          try {
+            await pm.stop();
+            const transport = await pm.start();
+            const newClient = createCesClient(transport);
+            const proxyCtx = await resolveManagedProxyContext();
+            const { accepted, reason } = await newClient.handshake(
+              proxyCtx.assistantApiKey
+                ? { assistantApiKey: proxyCtx.assistantApiKey }
+                : undefined,
+            );
+            if (accepted) {
+              log.info("CES reconnection handshake accepted");
+              return newClient;
+            }
+            log.warn({ reason }, "CES reconnection handshake rejected");
+            newClient.close();
+            await pm.stop().catch(() => {});
+            return undefined;
+          } catch (err) {
+            log.warn(
+              { error: err instanceof Error ? err.message : String(err) },
+              "CES reconnection attempt failed",
+            );
+            await pm.stop().catch(() => {});
+            return undefined;
+          }
+        });
+      }
     }
 
     await initializeProvidersAndTools(config);
@@ -492,6 +543,11 @@ export async function runDaemon(): Promise<void> {
     log.info("Daemon startup: starting DaemonServer");
     const server = new DaemonServer();
     server.setCes(await cesStartupPromise);
+
+    // Keep the server's CES client ref in sync after reconnection so that
+    // secret routes and new conversations use the fresh client.
+    onCesClientChanged((client) => server.updateCesClient(client));
+
     await server.start();
     log.info("Daemon startup: DaemonServer started");
 
@@ -839,6 +895,9 @@ export async function runDaemon(): Promise<void> {
         getHandlerContext: () => server.getHandlerContext(),
       }),
       getCesClient: () => server.getCesClient(),
+      onProviderCredentialsChanged: () =>
+        server.refreshConversationsForProviderChange(),
+      getHeartbeatService: () => server.getHeartbeatService(),
     });
 
     // Inject voice bridge deps BEFORE attempting to start the HTTP server.
@@ -1092,8 +1151,19 @@ export async function runDaemon(): Promise<void> {
     const heartbeatConfig = config.heartbeat;
     const heartbeat = new HeartbeatService({
       processMessage: (conversationId, content) =>
-        server.processMessage(conversationId, content),
+        server.processMessage(conversationId, content, undefined, {
+          trustContext: {
+            sourceChannel: "vellum",
+            trustClass: "guardian",
+          },
+        }),
       alerter: (alert) => server.broadcast(alert),
+      onConversationCreated: (info) =>
+        server.broadcast({
+          type: "heartbeat_conversation_created",
+          conversationId: info.conversationId,
+          title: info.title,
+        }),
     });
     heartbeat.start();
     server.setHeartbeatService(heartbeat);

package/src/daemon/message-types/acp.ts

@@ -25,20 +25,6 @@ export interface AcpSessionUpdate {
   toolStatus?: string;
 }
 
-export interface AcpPermissionRequest {
-  type: "acp_permission_request";
-  acpSessionId: string;
-  requestId: string;
-  toolTitle: string;
-  toolKind: string;
-  rawInput?: unknown;
-  options: Array<{
-    optionId: string;
-    name: string;
-    kind: "allow_once" | "allow_always" | "reject_once" | "reject_always";
-  }>;
-}
-
 export interface AcpSessionCompleted {
   type: "acp_session_completed";
   acpSessionId: string;
@@ -61,6 +47,5 @@ export interface AcpSessionError {
 export type _AcpServerMessages =
   | AcpSessionSpawned
   | AcpSessionUpdate
-  | AcpPermissionRequest
   | AcpSessionCompleted
   | AcpSessionError;

package/src/daemon/message-types/conversations.ts

@@ -372,6 +372,7 @@ export type ConversationErrorCode =
   | "PROVIDER_ORDERING"
   | "PROVIDER_WEB_SEARCH"
   | "PROVIDER_NOT_CONFIGURED"
+  | "MANAGED_KEY_INVALID"
   | "CONTEXT_TOO_LARGE"
   | "CONVERSATION_ABORTED"
   | "CONVERSATION_PROCESSING_FAILED"

package/src/daemon/message-types/guardian-actions.ts

@@ -47,6 +47,8 @@ export interface GuardianActionDecisionResponse {
   resolverFailureReason?: string;
   requestId?: string;
   userText?: string;
+  /** Resolver reply text for the guardian (e.g. verification code for access requests). */
+  replyText?: string;
 }
 
 // --- Domain-level union aliases (consumed by the barrel file) ---

package/src/daemon/message-types/host-bash.ts

@@ -15,6 +15,11 @@ export interface HostBashRequest {
   env?: Record<string, string>;
 }
 
+export interface HostBashCancelRequest {
+  type: "host_bash_cancel";
+  requestId: string;
+}
+
 // --- Domain-level union aliases (consumed by the barrel file) ---
 
-export type _HostBashServerMessages = HostBashRequest;
+export type _HostBashServerMessages = HostBashRequest | HostBashCancelRequest;

package/src/daemon/message-types/host-cu.ts

@@ -14,6 +14,11 @@ export interface HostCuRequest {
   reasoning?: string;
 }
 
+export interface HostCuCancelRequest {
+  type: "host_cu_cancel";
+  requestId: string;
+}
+
 // --- Domain-level union aliases (consumed by the barrel file) ---
 
-export type _HostCuServerMessages = HostCuRequest;
+export type _HostCuServerMessages = HostCuRequest | HostCuCancelRequest;

package/src/daemon/message-types/host-file.ts

@@ -39,6 +39,11 @@ export type HostFileRequest =
   | HostFileWriteRequest
   | HostFileEditRequest;
 
+export interface HostFileCancelRequest {
+  type: "host_file_cancel";
+  requestId: string;
+}
+
 // --- Domain-level union aliases (consumed by the barrel file) ---
 
-export type _HostFileServerMessages = HostFileRequest;
+export type _HostFileServerMessages = HostFileRequest | HostFileCancelRequest;

package/src/daemon/message-types/integrations.ts

@@ -188,7 +188,6 @@ export interface IntegrationConnectResult {
   accountInfo?: string | null;
   error?: string | null;
   setupRequired?: boolean;
-  setupSkillId?: string;
   setupHint?: string;
 }
 

package/src/daemon/message-types/memory.ts

@@ -21,7 +21,6 @@ export interface MemoryRecalled {
   model: string;
   degradation?: MemoryRecalledDegradation;
   semanticHits: number;
-  recencyHits: number;
   tier1Count: number;
   tier2Count: number;
   hybridSearchLatencyMs: number;

package/src/daemon/message-types/messages.ts

@@ -44,7 +44,7 @@ export interface SecretResponse {
   type: "secret_response";
   requestId: string;
   value?: string; // undefined = user cancelled
-  /** How the secret should be delivered: 'store' persists to keychain (default), 'transient_send' for one-time use without persisting. */
+  /** How the secret should be delivered: 'store' persists to credential store (default), 'transient_send' for one-time use without persisting. */
   delivery?: "store" | "transient_send";
 }
 
@@ -156,6 +156,14 @@ export interface ConfirmationRequest {
   temporaryOptionsAvailable?: Array<"allow_10m" | "allow_conversation">;
   /** The tool_use block ID for client-side correlation with specific tool calls. */
   toolUseId?: string;
+  /** ACP tool kind from the agent (e.g. "read", "edit", "execute"). Present only for ACP permission requests. */
+  acpToolKind?: string;
+  /** ACP permission options from the agent. Present only for ACP permission requests. Clients should use these to render the correct buttons. */
+  acpOptions?: Array<{
+    optionId: string;
+    name: string;
+    kind: "allow_once" | "allow_always" | "reject_once" | "reject_always";
+  }>;
 }
 
 export interface SecretRequest {

package/src/daemon/message-types/schedules.ts

@@ -84,6 +84,13 @@ export interface HeartbeatAlert {
   body: string;
 }
 
+/** Server push — broadcast when a heartbeat creates a conversation. */
+export interface HeartbeatConversationCreated {
+  type: "heartbeat_conversation_created";
+  conversationId: string;
+  title: string;
+}
+
 export interface HeartbeatConfigResponse {
   type: "heartbeat_config_response";
   enabled: boolean;
@@ -91,6 +98,7 @@ export interface HeartbeatConfigResponse {
   activeHoursStart: number | null;
   activeHoursEnd: number | null;
   nextRunAt: number | null;
+  lastRunAt: number | null;
   success: boolean;
   error?: string;
 }
@@ -141,6 +149,7 @@ export type _SchedulesClientMessages =
 export type _SchedulesServerMessages =
   | SchedulesListResponse
   | HeartbeatAlert
+  | HeartbeatConversationCreated
   | HeartbeatConfigResponse
   | HeartbeatRunsListResponse
   | HeartbeatRunNowResponse