@vellumai/assistant 0.5.11 → 0.5.13

package/src/tools/host-terminal/host-shell.ts

@@ -204,20 +204,33 @@ class HostShellTool implements Tool {
         cwd: workingDir,
         env: hostEnv,
         stdio: ["ignore", "pipe", "pipe"],
+        detached: true,
       });
 
       const timer = setTimeout(() => {
         timedOut = true;
-        child.kill("SIGKILL");
+        try {
+          process.kill(-child.pid!, "SIGKILL");
+        } catch {
+          // Process group may have already exited.
+        }
       }, timeoutMs);
 
       // Cooperative cancellation via AbortSignal
       const onAbort = () => {
-        child.kill("SIGKILL");
+        try {
+          process.kill(-child.pid!, "SIGKILL");
+        } catch {
+          // Process group may have already exited.
+        }
       };
       if (context.signal) {
         if (context.signal.aborted) {
-          child.kill("SIGKILL");
+          try {
+            process.kill(-child.pid!, "SIGKILL");
+          } catch {
+            // Process group may have already exited.
+          }
         } else {
           context.signal.addEventListener("abort", onAbort, { once: true });
         }

package/src/tools/mcp/mcp-tool-factory.ts

@@ -62,7 +62,7 @@ export function createMcpTool(
 
     async execute(
       input: Record<string, unknown>,
-      _context: ToolContext,
+      context: ToolContext,
     ): Promise<ToolExecutionResult> {
       try {
         // Strip injected activity before sending to MCP server
@@ -77,6 +77,7 @@ export function createMcpTool(
           serverId,
           metadata.name,
           forwardInput,
+          context.signal,
         );
         return {
           content: result.content,

package/src/tools/skills/sandbox-runner.ts

@@ -159,20 +159,33 @@ function spawnRunner(
       cwd: runDir,
       env,
       stdio: ["ignore", "pipe", "pipe"],
+      detached: true,
     });
 
     const timer = setTimeout(() => {
       timedOut = true;
-      child.kill("SIGKILL");
+      try {
+        process.kill(-child.pid!, "SIGKILL");
+      } catch {
+        // Process group may have already exited.
+      }
     }, timeoutMs);
 
     // Cooperative cancellation via AbortSignal
     const onAbort = () => {
-      child.kill("SIGKILL");
+      try {
+        process.kill(-child.pid!, "SIGKILL");
+      } catch {
+        // Process group may have already exited.
+      }
     };
     if (context.signal) {
       if (context.signal.aborted) {
-        child.kill("SIGKILL");
+        try {
+          process.kill(-child.pid!, "SIGKILL");
+        } catch {
+          // Process group may have already exited.
+        }
       } else {
         context.signal.addEventListener("abort", onAbort, { once: true });
       }

package/src/tools/terminal/shell.ts

@@ -329,20 +329,33 @@ class ShellTool implements Tool {
         cwd: context.workingDir,
         env,
         stdio: ["ignore", "pipe", "pipe"],
+        detached: true,
       });
 
       const timer = setTimeout(() => {
         timedOut = true;
-        child.kill("SIGKILL");
+        try {
+          process.kill(-child.pid!, "SIGKILL");
+        } catch {
+          // Process group may have already exited.
+        }
       }, timeoutMs);
 
       // Cooperative cancellation via AbortSignal
       const onAbort = () => {
-        child.kill("SIGKILL");
+        try {
+          process.kill(-child.pid!, "SIGKILL");
+        } catch {
+          // Process group may have already exited.
+        }
       };
       if (context.signal) {
         if (context.signal.aborted) {
-          child.kill("SIGKILL");
+          try {
+            process.kill(-child.pid!, "SIGKILL");
+          } catch {
+            // Process group may have already exited.
+          }
         } else {
           context.signal.addEventListener("abort", onAbort, { once: true });
         }

package/src/util/logger.ts

@@ -18,6 +18,7 @@ import {
 } from "../config/env-registry.js";
 import { logSerializers } from "./log-redact.js";
 import { getLogPath } from "./platform.js";
+import { createSentryLogStream } from "./sentry-log-stream.js";
 
 /** Common pino-pretty options that inline [module] into the message prefix. */
 function prettyOpts(extra?: PrettyOptions): PrettyOptions {
@@ -133,6 +134,11 @@ function buildRotatingLogger(config: LogFileConfig): pino.Logger {
   activeLogDate = today;
   activeLogFileConfig = { ...config, dir };
 
+  const sentryStream = {
+    stream: createSentryLogStream(),
+    level: "error" as const,
+  };
+
   // When stdout is not a TTY (e.g. desktop app redirects to a hatch log file),
   // write to the rotating file only — the hatch log already captured early
   // startup output and echoing pino output there is unnecessary duplication.
@@ -141,7 +147,10 @@ function buildRotatingLogger(config: LogFileConfig): pino.Logger {
   if (!process.stdout.isTTY && !getIsContainerized()) {
     return pino(
       { name: "assistant", level: "info", serializers: logSerializers },
-      fileStream,
+      pino.multistream([
+        { stream: fileStream, level: "info" as const },
+        sentryStream,
+      ]),
     );
   }
 
@@ -153,6 +162,7 @@ function buildRotatingLogger(config: LogFileConfig): pino.Logger {
         stream: pinoPretty(prettyOpts({ destination: 1 })),
         level: "info" as const,
       },
+      sentryStream,
     ]),
   );
 }

package/src/util/platform.ts

@@ -1,9 +1,4 @@
-import {
-  chmodSync,
-  existsSync,
-  mkdirSync,
-  readFileSync,
-} from "node:fs";
+import { chmodSync, existsSync, mkdirSync, readFileSync } from "node:fs";
 import { homedir } from "node:os";
 import { join } from "node:path";
 
@@ -44,90 +39,6 @@ export function getClipboardCommand(): string | null {
   return null;
 }
 
-
-/**
- * Resolve the instance data directory from the lockfile.
- *
- * Checks both ~/.vellum.lock.json (current) and ~/.vellum.lockfile.json
- * (legacy) to support installs that haven't migrated the filename.
- *
- * Reads the lockfile from homedir() directly (NOT via readLockfile() which
- * depends on BASE_DATA_DIR) to avoid circular dependency — this function is
- * called at CLI bootstrap before BASE_DATA_DIR is set.
- *
- * Resolution:
- *   - If activeAssistant matches a local assistant, returns its instanceDir.
- *   - If there is exactly one local assistant and no activeAssistant, returns
- *     its instanceDir (auto-select).
- *   - Returns undefined in all other cases (no lockfile, no local assistants,
- *     multiple local assistants with no active selection, malformed JSON).
- *
- * Synchronous (uses readFileSync) since it runs at bootstrap before any async
- * context. Never throws — catches all errors and returns undefined for
- * graceful degradation.
- */
-export function resolveInstanceDataDir(): string | undefined {
-  try {
-    const home = homedir();
-    const candidates = [
-      join(home, ".vellum.lock.json"),
-      join(home, ".vellum.lockfile.json"),
-    ];
-
-    let raw: unknown;
-    for (const lockPath of candidates) {
-      if (!existsSync(lockPath)) continue;
-      try {
-        const parsed = JSON.parse(readFileSync(lockPath, "utf-8"));
-        if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
-          raw = parsed;
-          break;
-        }
-      } catch {
-        // Malformed JSON; try next candidate
-      }
-    }
-    if (!raw || typeof raw !== "object" || Array.isArray(raw)) return undefined;
-    const lockData = raw as Record<string, unknown>;
-
-    const assistants = lockData.assistants as
-      | Array<Record<string, unknown>>
-      | undefined;
-    if (!Array.isArray(assistants)) return undefined;
-
-    const localAssistants = assistants.filter(
-      (a) => a.cloud === "local" || a.cloud === undefined,
-    );
-    if (localAssistants.length === 0) return undefined;
-
-    const activeAssistant = lockData.activeAssistant as string | undefined;
-
-    if (activeAssistant) {
-      const match = localAssistants.find(
-        (a) => a.assistantId === activeAssistant,
-      );
-      if (match) {
-        const resources = match.resources as
-          | Record<string, unknown>
-          | undefined;
-        return resources?.instanceDir as string | undefined;
-      }
-      return undefined;
-    }
-
-    if (localAssistants.length === 1) {
-      const resources = localAssistants[0].resources as
-        | Record<string, unknown>
-        | undefined;
-      return resources?.instanceDir as string | undefined;
-    }
-
-    return undefined;
-  } catch {
-    return undefined;
-  }
-}
-
 /**
  * Normalize an assistant ID to its canonical form for DB operations.
  *
@@ -147,7 +58,6 @@ export function normalizeAssistantId(assistantId: string): string {
   return assistantId;
 }
 
-
 /**
  * Returns the root ~/.vellum directory. User-facing files (config, prompt
  * files, skills) and runtime files (socket, PID) live here.

package/src/util/sentry-log-stream.ts

@@ -0,0 +1,51 @@
+import { Writable } from "node:stream";
+
+import * as Sentry from "@sentry/node";
+
+/**
+ * Pino-compatible writable stream that forwards error/fatal log messages
+ * to Sentry as captured events. Add this stream to a pino multistream at
+ * the "error" level so that every `log.error(…)` and `log.fatal(…)` call
+ * automatically creates a Sentry issue.
+ *
+ * If the log entry contains an `err` field (serialised error object), the
+ * error is captured via `Sentry.captureException`; otherwise the message
+ * text is captured via `Sentry.captureMessage`.
+ */
+export function createSentryLogStream(): Writable {
+  return new Writable({
+    write(chunk, _encoding, callback) {
+      try {
+        const entry = JSON.parse(chunk.toString());
+        const module: string = entry.module ?? "unknown";
+        const msg: string = entry.msg ?? "";
+
+        if (entry.err && typeof entry.err === "object") {
+          // Reconstruct an Error so Sentry gets a proper stack trace.
+          const errObj = entry.err;
+          const error = new Error(errObj.message ?? msg);
+          error.name = errObj.type ?? errObj.name ?? "Error";
+          if (errObj.stack) error.stack = errObj.stack;
+
+          Sentry.withScope((scope) => {
+            scope.setTag("source", "error_log");
+            scope.setTag("log_module", module);
+            scope.setLevel(entry.level >= 60 ? "fatal" : "error");
+            if (msg) scope.setExtra("log_message", msg);
+            Sentry.captureException(error);
+          });
+        } else {
+          Sentry.withScope((scope) => {
+            scope.setTag("source", "error_log");
+            scope.setTag("log_module", module);
+            scope.setLevel(entry.level >= 60 ? "fatal" : "error");
+            Sentry.captureMessage(`[${module}] ${msg}`);
+          });
+        }
+      } catch {
+        // Never block logging if Sentry capture fails.
+      }
+      callback();
+    },
+  });
+}

package/src/watcher/providers/github.ts

@@ -6,7 +6,7 @@
  * start from "now" and don't replay historical notifications.
  *
  * The credential service expects a GitHub Personal Access Token (or fine-grained
- * token) stored under `integration:github`. The token needs at minimum the
+ * token) stored under `github`. The token needs at minimum the
  * `notifications` scope (classic) or Notification read permission (fine-grained).
  */
 
@@ -117,7 +117,7 @@ async function fetchNotificationsPage(
 export const githubProvider: WatcherProvider = {
   id: "github",
   displayName: "GitHub",
-  requiredCredentialService: "integration:github",
+  requiredCredentialService: "github",
 
   async getInitialWatermark(_credentialService: string): Promise<string> {
     // Start from "now" so we don't replay all existing notifications

package/src/watcher/providers/gmail.ts

@@ -115,7 +115,7 @@ class HistoryExpiredError extends Error {
 export const gmailProvider: WatcherProvider = {
   id: "gmail",
   displayName: "Gmail",
-  requiredCredentialService: "integration:google",
+  requiredCredentialService: "google",
 
   async getInitialWatermark(credentialService: string): Promise<string> {
     const connection = await resolveOAuthConnection(credentialService);

package/src/watcher/providers/google-calendar.ts

@@ -25,7 +25,7 @@ import type {
 const log = getLogger("watcher:google-calendar");
 
 /** The credential service — calendar shares OAuth tokens with Gmail. */
-const CREDENTIAL_SERVICE = "integration:google";
+const CREDENTIAL_SERVICE = "google";
 
 function eventToItem(event: CalendarEvent, eventType: string): WatcherItem {
   const start = event.start?.dateTime ?? event.start?.date ?? "";

package/src/watcher/providers/linear.ts

@@ -9,7 +9,7 @@
  * for issues assigned to the authenticated user.
  *
  * The credential service expects a Linear API key (personal or OAuth access token)
- * stored under `integration:linear`. The token only needs read access to notifications
+ * stored under `linear`. The token only needs read access to notifications
  * and issues.
  */
 
@@ -495,7 +495,7 @@ function issueToStatusChangeItem(
 export const linearProvider: WatcherProvider = {
   id: "linear",
   displayName: "Linear",
-  requiredCredentialService: "integration:linear",
+  requiredCredentialService: "linear",
 
   async getInitialWatermark(_credentialService: string): Promise<string> {
     // Start from "now" so we don't replay all existing notifications

package/src/workspace/migrations/011-backfill-installation-id.ts

@@ -39,10 +39,12 @@ export const backfillInstallationIdMigration: WorkspaceMigration = {
 
     // b. Read the lockfile — check both the current and legacy lockfile paths
     //    to support installs that haven't migrated the filename yet.
-    const base = process.env.BASE_DATA_DIR?.trim() || homedir();
+    //    Always reads from homedir(), matching resolveInstanceDataDir() in
+    //    platform.ts — the lockfile is a per-user file, not per-instance.
+    const home = homedir();
     const lockCandidates = [
-      join(base, ".vellum.lock.json"),
-      join(base, ".vellum.lockfile.json"),
+      join(home, ".vellum.lock.json"),
+      join(home, ".vellum.lockfile.json"),
     ];
 
     let lockPath: string | undefined;

package/src/workspace/migrations/020-rename-oauth-skill-dirs.ts

@@ -0,0 +1,119 @@
+/**
+ * Workspace migration 020: Rename OAuth skill directories and update SKILLS.md
+ * index entries to match the new `<domain>-oauth-app-setup` naming convention.
+ *
+ * Also removes deleted skills (collaborative-oauth-flow, oauth-setup) that
+ * were superseded by vellum-oauth-integrations.
+ *
+ * Idempotent: safe to re-run after interruption at any point.
+ */
+
+import {
+  existsSync,
+  readFileSync,
+  renameSync,
+  rmSync,
+  writeFileSync,
+} from "node:fs";
+import { join } from "node:path";
+
+import type { WorkspaceMigration } from "./types.js";
+
+// ---------------------------------------------------------------------------
+// Rename map: old directory name -> new directory name
+// ---------------------------------------------------------------------------
+
+const RENAMES: [oldName: string, newName: string][] = [
+  ["google-oauth-applescript", "google-oauth-app-setup"],
+  ["airtable-oauth-setup", "airtable-oauth-app-setup"],
+  ["asana-oauth-setup", "asana-oauth-app-setup"],
+  ["discord-oauth-setup", "discord-oauth-app-setup"],
+  ["dropbox-oauth-setup", "dropbox-oauth-app-setup"],
+  ["figma-oauth-setup", "figma-oauth-app-setup"],
+  ["github-oauth-setup", "github-oauth-app-setup"],
+  ["hubspot-oauth-setup", "hubspot-oauth-app-setup"],
+  ["linear-oauth-setup", "linear-oauth-app-setup"],
+  ["notion-oauth-setup", "notion-oauth-app-setup"],
+  ["spotify-oauth-setup", "spotify-oauth-app-setup"],
+  ["todoist-oauth-setup", "todoist-oauth-app-setup"],
+  ["twitter-oauth-setup", "twitter-oauth-app-setup"],
+];
+
+/** Skills that were deleted and should be removed from the workspace. */
+const DELETED_SKILLS = ["collaborative-oauth-flow", "oauth-setup"];
+
+// ---------------------------------------------------------------------------
+// Migration
+// ---------------------------------------------------------------------------
+
+export const renameOauthSkillDirsMigration: WorkspaceMigration = {
+  id: "020-rename-oauth-skill-dirs",
+  description:
+    "Rename OAuth skill directories to <domain>-oauth-app-setup convention and remove deleted skills",
+
+  run(workspaceDir: string): void {
+    const skillsDir = join(workspaceDir, "skills");
+    if (!existsSync(skillsDir)) return;
+
+    // 1. Rename skill directories
+    for (const [oldName, newName] of RENAMES) {
+      const oldDir = join(skillsDir, oldName);
+      const newDir = join(skillsDir, newName);
+      if (existsSync(oldDir) && !existsSync(newDir)) {
+        renameSync(oldDir, newDir);
+      }
+    }
+
+    // 2. Remove deleted skill directories
+    for (const name of DELETED_SKILLS) {
+      const dir = join(skillsDir, name);
+      if (existsSync(dir)) {
+        rmSync(dir, { recursive: true, force: true });
+      }
+    }
+
+    // 3. Update SKILLS.md index entries
+    const indexPath = join(skillsDir, "SKILLS.md");
+    if (existsSync(indexPath)) {
+      let content = readFileSync(indexPath, "utf-8");
+      for (const [oldName, newName] of RENAMES) {
+        content = content.replaceAll(oldName, newName);
+      }
+      for (const name of DELETED_SKILLS) {
+        // Remove lines referencing deleted skills (e.g., "- collaborative-oauth-flow\n")
+        content = content.replace(
+          new RegExp(`^[\\t ]*-\\s*${name}\\s*\\n?`, "gm"),
+          "",
+        );
+      }
+      writeFileSync(indexPath, content, "utf-8");
+    }
+  },
+
+  down(workspaceDir: string): void {
+    const skillsDir = join(workspaceDir, "skills");
+    if (!existsSync(skillsDir)) return;
+
+    // Reverse renames
+    for (const [oldName, newName] of RENAMES) {
+      const oldDir = join(skillsDir, oldName);
+      const newDir = join(skillsDir, newName);
+      if (existsSync(newDir) && !existsSync(oldDir)) {
+        renameSync(newDir, oldDir);
+      }
+    }
+
+    // Reverse SKILLS.md index entries
+    const indexPath = join(skillsDir, "SKILLS.md");
+    if (existsSync(indexPath)) {
+      let content = readFileSync(indexPath, "utf-8");
+      for (const [oldName, newName] of RENAMES) {
+        content = content.replaceAll(newName, oldName);
+      }
+      writeFileSync(indexPath, content, "utf-8");
+    }
+
+    // Note: deleted skills cannot be restored by down() since they were
+    // removed from the repo. Users would need to reinstall them.
+  },
+};

package/src/workspace/migrations/registry.ts

@@ -16,6 +16,7 @@ import { migrateCredentialsFromKeychainMigration } from "./016-migrate-credentia
 import { seedPersonaDirsMigration } from "./017-seed-persona-dirs.js";
 import { rekeyCompoundCredentialKeysMigration } from "./018-rekey-compound-credential-keys.js";
 import { scopeJournalToGuardianMigration } from "./019-scope-journal-to-guardian.js";
+import { renameOauthSkillDirsMigration } from "./020-rename-oauth-skill-dirs.js";
 import { migrateToWorkspaceVolumeMigration } from "./migrate-to-workspace-volume.js";
 import type { WorkspaceMigration } from "./types.js";
 
@@ -43,4 +44,5 @@ export const WORKSPACE_MIGRATIONS: WorkspaceMigration[] = [
   extractFeatureFlagsToProtectedMigration,
   rekeyCompoundCredentialKeysMigration,
   scopeJournalToGuardianMigration,
+  renameOauthSkillDirsMigration,
 ];