@vellumai/assistant 0.5.15 → 0.6.0

package/src/tools/memory/register.ts

@@ -1,67 +1,56 @@
 import { getConfig } from "../../config/loader.js";
+import {
+  handleRecall,
+  handleRemember,
+  type RecallInput,
+  type RememberInput,
+} from "../../memory/graph/tool-handlers.js";
+import {
+  graphRecallDefinition,
+  graphRememberDefinition,
+} from "../../memory/graph/tools.js";
 import { RiskLevel } from "../../permissions/types.js";
 import type { ToolDefinition } from "../../providers/types.js";
 import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
-import {
-  memoryManageDefinition,
-  memoryRecallDefinition,
-} from "./definitions.js";
-import {
-  handleMemoryDelete,
-  handleMemoryRecall,
-  handleMemorySave,
-  handleMemoryUpdate,
-} from "./handlers.js";
 
-// ── memory_manage ────────────────────────────────────────────────────
+// ── remember ────────────────────────────────────────────────────────
 
-class MemoryManageTool implements Tool {
-  name = "memory_manage";
-  description = memoryManageDefinition.description;
+class RememberTool implements Tool {
+  name = "remember";
+  description = graphRememberDefinition.description;
   category = "memory";
   defaultRiskLevel = RiskLevel.Low;
 
   getDefinition(): ToolDefinition {
-    return memoryManageDefinition;
+    return graphRememberDefinition;
   }
 
   async execute(
     input: Record<string, unknown>,
     context: ToolContext,
   ): Promise<ToolExecutionResult> {
-    const config = getConfig();
-    switch (input.op) {
-      case "save":
-        return handleMemorySave(
-          input,
-          config,
-          context.conversationId,
-          context.requestId,
-          context.memoryScopeId,
-        );
-      case "update":
-        return handleMemoryUpdate(input, config, context.memoryScopeId);
-      case "delete":
-        return handleMemoryDelete(input, config, context.memoryScopeId);
-      default:
-        return {
-          content: `Error: unknown op "${input.op}". Must be one of: save, update, delete`,
-          isError: true,
-        };
-    }
+    const result = handleRemember(
+      input as unknown as RememberInput,
+      context.conversationId,
+      context.memoryScopeId ?? "default",
+    );
+    return {
+      content: result.message,
+      isError: !result.success,
+    };
   }
 }
 
-// ── memory_recall ────────────────────────────────────────────────────
+// ── recall ──────────────────────────────────────────────────────────
 
-class MemoryRecallTool implements Tool {
-  name = "memory_recall";
-  description = memoryRecallDefinition.description;
+class RecallTool implements Tool {
+  name = "recall";
+  description = graphRecallDefinition.description;
   category = "memory";
   defaultRiskLevel = RiskLevel.Low;
 
   getDefinition(): ToolDefinition {
-    return memoryRecallDefinition;
+    return graphRecallDefinition;
   }
 
   async execute(
@@ -69,16 +58,44 @@ class MemoryRecallTool implements Tool {
     context: ToolContext,
   ): Promise<ToolExecutionResult> {
     const config = getConfig();
-    return handleMemoryRecall(
-      input,
+    const result = await handleRecall(
+      input as unknown as RecallInput,
       config,
-      context.memoryScopeId,
-      context.conversationId,
+      context.memoryScopeId ?? "default",
     );
+
+    if (result.results.length === 0) {
+      return { content: "No results found.", isError: false };
+    }
+
+    const formatted = result.results
+      .map((r) => {
+        const ts = formatTimestamp(r.created);
+        const meta =
+          result.mode === "memory"
+            ? `[${r.type}] ${ts} (confidence: ${r.confidence.toFixed(2)}, score: ${r.score.toFixed(3)})`
+            : `[archive] ${ts}`;
+        return `${meta}\n${r.content}`;
+      })
+      .join("\n\n---\n\n");
+
+    return { content: formatted, isError: false };
   }
 }
 
+// ── Helpers ─────────────────────────────────────────────────────────
+
+function formatTimestamp(epochMs: number): string {
+  const d = new Date(epochMs);
+  const mm = String(d.getMonth() + 1).padStart(2, "0");
+  const dd = String(d.getDate()).padStart(2, "0");
+  const yy = String(d.getFullYear()).slice(-2);
+  const hh = String(d.getHours()).padStart(2, "0");
+  const min = String(d.getMinutes()).padStart(2, "0");
+  return `${mm}/${dd}/${yy} ${hh}:${min}`;
+}
+
 // ── Exported tool instances ──────────────────────────────────────────
 
-export const memoryManageTool = new MemoryManageTool();
-export const memoryRecallTool = new MemoryRecallTool();
+export const rememberTool = new RememberTool();
+export const recallTool = new RecallTool();

package/src/tools/permission-checker.ts

@@ -8,6 +8,7 @@ import {
 } from "../permissions/checker.js";
 import type { PermissionPrompter } from "../permissions/prompter.js";
 import { addRule } from "../permissions/trust-store.js";
+import { RiskLevel } from "../permissions/types.js";
 import {
   getEffectiveMode,
   setConversationMode,
@@ -137,24 +138,6 @@ export class PermissionChecker {
       }
 
       if (result.decision === "prompt") {
-        // dangerouslySkipPermissions: when enabled, auto-approve all prompts
-        // without user interaction. Deny rules are still respected (they
-        // return before reaching this block).
-        //
-        // Note: unlike guardian auto-approve and temporary overrides below,
-        // this intentionally does NOT check `context.requireFreshApproval`.
-        // The setting is designed to skip ALL interactive prompts
-        // unconditionally — it is an explicit operator opt-out from the
-        // permission system, so requireFreshApproval does not apply.
-        const cfg = getConfig();
-        if (cfg.permissions.dangerouslySkipPermissions) {
-          log.info(
-            { toolName: name, riskLevel },
-            "dangerouslySkipPermissions active — auto-approving without prompt",
-          );
-          return { allowed: true, decision: "dangerously_skip_permissions", riskLevel };
-        }
-
         // Guardian-trust sessions (e.g. scheduled jobs, reminders) should be
         // able to use bundled tools without interactive approval. The guardian
         // is the owner - prompting makes no sense when there is no client.
@@ -163,6 +146,10 @@ export class PermissionChecker {
         // Exception: inline-command skill loads (skill_load_dynamic:*) must
         // never be silently auto-approved — they execute embedded commands
         // and require explicit human review or a pinned trust rule.
+        // Exception: high-risk tools (e.g. destructive shell commands, writes
+        // to sensitive paths) are denied — unattended sessions must not
+        // auto-approve operations that could cause significant damage if
+        // triggered by prompt injection from untrusted content.
         const isDynamicSkillLoad =
           result.matchedRule?.pattern.startsWith("skill_load_dynamic:") ===
           true;
@@ -170,7 +157,8 @@ export class PermissionChecker {
           context.isInteractive === false &&
           context.trustClass === "guardian" &&
           !context.requireFreshApproval &&
-          !isDynamicSkillLoad
+          !isDynamicSkillLoad &&
+          riskLevel !== RiskLevel.High
         ) {
           log.info(
             { toolName: name, riskLevel },

package/src/tools/shared/filesystem/image-read.ts

@@ -1,8 +1,6 @@
-import { execFileSync } from "node:child_process";
-import { readFileSync, statSync, unlinkSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
+import { readFileSync, statSync } from "node:fs";
 
+import { optimizeImageForTransport } from "../../../agent/image-optimize.js";
 import type { ImageContent } from "../../../providers/types.js";
 import type { ToolExecutionResult } from "../../types.js";
 
@@ -17,12 +15,6 @@ export const IMAGE_EXTENSIONS = new Set([
 const MAX_SIZE_BYTES = 20 * 1024 * 1024; // 20 MB — LLM API transport limit (post-optimization)
 const MAX_SOURCE_SIZE_BYTES = 100 * 1024 * 1024; // 100 MB — pre-optimization guard
 
-// Images above this threshold get auto-optimized via sips (macOS) to avoid
-// sending multi-MB base64 payloads to the LLM API.
-const OPTIMIZE_THRESHOLD_BYTES = 1 * 1024 * 1024; // 1 MB
-const OPTIMIZE_MAX_DIMENSION = 1568; // Anthropic's recommended max
-const OPTIMIZE_JPEG_QUALITY = 80;
-
 /**
  * Detect the actual image format from the first bytes of the buffer.
  * Returns the MIME type, or null if unrecognised.
@@ -69,36 +61,6 @@ function detectMediaType(buf: Buffer): string | null {
   return null;
 }
 
-/**
- * Use macOS `sips` to resize and convert an image to JPEG.
- * Returns the path to the optimized temp file, or null if sips is unavailable.
- */
-function optimizeWithSips(srcPath: string): string | null {
-  const tmpPath = join(tmpdir(), `vellum-view-image-${Date.now()}.jpg`);
-  try {
-    execFileSync(
-      "sips",
-      [
-        "--resampleHeightWidthMax",
-        String(OPTIMIZE_MAX_DIMENSION),
-        "-s",
-        "format",
-        "jpeg",
-        "-s",
-        "formatOptions",
-        String(OPTIMIZE_JPEG_QUALITY),
-        srcPath,
-        "--out",
-        tmpPath,
-      ],
-      { stdio: "pipe", timeout: 15_000 },
-    );
-    return tmpPath;
-  } catch {
-    return null;
-  }
-}
-
 /**
  * Read an image file from disk, optionally optimize it, and return a
  * ToolExecutionResult with base64-encoded image content blocks.
@@ -130,51 +92,11 @@ export function readImageFile(resolvedPath: string): ToolExecutionResult {
   }
 
   let buffer: Buffer;
-  let optimized = false;
-  let tmpPath: string | null = null;
-
   try {
-    if (stat.size > OPTIMIZE_THRESHOLD_BYTES) {
-      tmpPath = optimizeWithSips(resolvedPath);
-      if (tmpPath) {
-        buffer = readFileSync(tmpPath) as Buffer;
-        optimized = true;
-      } else {
-        // sips unavailable — fast-fail if original file exceeds the transport limit
-        if (stat.size > MAX_SIZE_BYTES) {
-          const sizeMB = (stat.size / (1024 * 1024)).toFixed(1);
-          return {
-            content: `Error: image too large (${sizeMB} MB). Maximum is 20 MB. Image optimization (sips) is unavailable on this platform.`,
-            isError: true,
-          };
-        }
-        buffer = readFileSync(resolvedPath) as Buffer;
-      }
-    } else {
-      buffer = readFileSync(resolvedPath) as Buffer;
-    }
+    buffer = readFileSync(resolvedPath) as Buffer;
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
     return { content: `Error reading file: ${msg}`, isError: true };
-  } finally {
-    if (tmpPath) {
-      try {
-        unlinkSync(tmpPath);
-      } catch {
-        /* ignore cleanup errors */
-      }
-    }
-  }
-
-  if (buffer.length > MAX_SIZE_BYTES) {
-    const sizeMB = (buffer.length / (1024 * 1024)).toFixed(1);
-    const msg = optimized
-      ? `Error: image too large after optimization (${sizeMB} MB). Maximum is 20 MB.`
-      : `Error: image too large (${sizeMB} MB). Maximum is 20 MB.`;
-    return {
-      content: msg,
-      isError: true,
-    };
   }
 
   // Detect actual format from magic bytes - never trust the file extension
@@ -187,25 +109,40 @@ export function readImageFile(resolvedPath: string): ToolExecutionResult {
     };
   }
 
-  const base64Data = buffer.toString("base64");
+  // Optimize before size-checking — oversized images may compress under the limit.
+  const rawBase64 = buffer.toString("base64");
+  const { data: base64Data, mediaType: finalType } =
+    optimizeImageForTransport(rawBase64, detectedType);
+  const optimized = base64Data !== rawBase64;
+
+  const optimizedBytes = optimized
+    ? Math.ceil((base64Data.length * 3) / 4)
+    : buffer.length;
+  if (optimizedBytes > MAX_SIZE_BYTES) {
+    const sizeMB = (optimizedBytes / (1024 * 1024)).toFixed(1);
+    return {
+      content: `Error: image too large (${sizeMB} MB). Maximum is 20 MB even after optimization.`,
+      isError: true,
+    };
+  }
 
   const imageBlock: ImageContent = {
     type: "image" as const,
     source: {
       type: "base64" as const,
-      media_type: detectedType,
+      media_type: finalType,
       data: base64Data,
     },
   };
 
   const sizeSuffix = optimized
     ? ` (optimized from ${(stat.size / 1024).toFixed(0)} KB to ${(
-        buffer.length / 1024
+        optimizedBytes / 1024
       ).toFixed(0)} KB)`
     : "";
 
   return {
-    content: `Image loaded: ${resolvedPath} (${buffer.length} bytes, ${detectedType})${sizeSuffix}`,
+    content: `Image loaded: ${resolvedPath} (${optimizedBytes} bytes, ${finalType})${sizeSuffix}`,
     isError: false,
     contentBlocks: [imageBlock],
   };

package/src/tools/skills/skill-script-runner.ts

@@ -40,7 +40,7 @@ export async function runSkillToolScript(
   context: ToolContext,
   options?: RunSkillToolScriptOptions,
 ): Promise<ToolExecutionResult> {
-  if (options?.target === "sandbox") {
+  if (options?.target === "sandbox" && !options?.bundled) {
     return runSkillToolScriptSandbox(skillDir, executorPath, input, context, {
       timeoutMs: options.timeoutMs,
       expectedSkillVersionHash: options.expectedSkillVersionHash,

package/src/tools/terminal/safe-env.ts

@@ -35,6 +35,7 @@ const SAFE_ENV_VARS = [
   "CES_CREDENTIAL_URL",
   "CES_MANAGED_MODE",
   "IS_CONTAINERIZED",
+  "IS_PLATFORM",
   "CES_SERVICE_TOKEN",
 ] as const;
 

package/src/tools/tool-manifest.ts

@@ -18,7 +18,7 @@ import { credentialStoreTool } from "./credentials/vault.js";
 import { fileEditTool } from "./filesystem/edit.js";
 import { fileReadTool } from "./filesystem/read.js";
 import { fileWriteTool } from "./filesystem/write.js";
-import { memoryManageTool, memoryRecallTool } from "./memory/register.js";
+import { recallTool, rememberTool } from "./memory/register.js";
 import { webFetchTool } from "./network/web-fetch.js";
 import { webSearchTool } from "./network/web-search.js";
 import { skillExecuteTool } from "./skills/execute.js";
@@ -82,8 +82,8 @@ export const explicitTools: Tool[] = [
   skillLoadTool,
   requestSystemPermissionTool,
   // Always-explicit tools
-  memoryManageTool,
-  memoryRecallTool,
+  rememberTool,
+  recallTool,
   credentialStoreTool,
 ];
 

package/src/util/browser.ts

@@ -1,15 +1,30 @@
-import { isLinux, isMacOS } from "./platform.js";
+import { mkdirSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+
+import { getLogger } from "./logger.js";
+import { getSignalsDir } from "./platform.js";
+
+const log = getLogger("browser");
 
 /**
- * Open a URL in the user's default browser, falling back to printing the URL
- * to stderr on unsupported platforms.
+ * Open a URL on the user's host machine.
+ *
+ * Writes an `open_url` event to the `signals/emit-event` file so that the
+ * daemon's ConfigWatcher picks it up and publishes it to connected clients
+ * (e.g. the Swift macOS app) via the assistant event hub.
  */
-export function openInBrowser(url: string): void {
-  if (isMacOS()) {
-    Bun.spawn(["open", url], { stdout: "ignore", stderr: "ignore" });
-  } else if (isLinux()) {
-    Bun.spawn(["xdg-open", url], { stdout: "ignore", stderr: "ignore" });
-  } else {
-    process.stderr.write(`Open this URL to authorize:\n\n${url}\n`);
+export async function openInHostBrowser(url: string): Promise<void> {
+  try {
+    const signalsDir = getSignalsDir();
+    mkdirSync(signalsDir, { recursive: true });
+    writeFileSync(
+      join(signalsDir, "emit-event"),
+      JSON.stringify({ type: "open_url", url }),
+    );
+  } catch (err) {
+    log.warn(
+      { error: err instanceof Error ? err.message : String(err) },
+      "Failed to write open_url signal",
+    );
   }
 }

package/src/util/bun-runtime.ts

@@ -0,0 +1,172 @@
+/**
+ * Shared helper for locating or JIT-installing a standalone `bun` binary.
+ *
+ * Several subsystems (package resolver, hook runner, browser runtime,
+ * credential execution, embedding runtime) need to spawn `bun` as a child
+ * process. Inside a `bun build --compile` binary, `process.execPath` is the
+ * compiled app — not the bun CLI — and the user may not have bun on PATH.
+ *
+ * This module checks well-known locations first, and if none is found it
+ * downloads a pinned release from GitHub into $VELLUM_WORKSPACE_DIR/bin/.
+ */
+
+import {
+  chmodSync,
+  existsSync,
+  mkdirSync,
+  renameSync,
+  rmSync,
+  writeFileSync,
+} from "node:fs";
+import { arch, homedir, platform } from "node:os";
+import { basename, join } from "node:path";
+
+import { getLogger } from "./logger.js";
+import { getBinDir } from "./platform.js";
+
+const log = getLogger("bun-runtime");
+
+/** Pinned bun version to download when no system bun is available. */
+const BUN_VERSION = "1.2.0";
+
+/** Module-level cache so we only resolve/download once per process. */
+let cachedBunPath: string | undefined;
+
+/** In-flight download promise to deduplicate concurrent callers. */
+let inflightDownload: Promise<string> | undefined;
+
+/**
+ * Return a path to a usable `bun` binary, downloading one if necessary.
+ *
+ * Resolution order:
+ * 1. `process.execPath` if it IS the bun CLI (dev mode)
+ * 2. Previously downloaded copy at $VELLUM_WORKSPACE_DIR/bin/bun
+ * 3. Common install locations (~/.bun/bin/bun, /opt/homebrew/bin/bun, etc.)
+ * 4. `Bun.which("bun")` (PATH lookup)
+ * 5. Download from GitHub releases into $VELLUM_WORKSPACE_DIR/bin/
+ */
+export async function ensureBun(): Promise<string> {
+  if (cachedBunPath && existsSync(cachedBunPath)) {
+    return cachedBunPath;
+  }
+
+  const found = findBun();
+  if (found) {
+    cachedBunPath = found;
+    return found;
+  }
+
+  // No bun found anywhere — download it.
+  // Use an in-flight promise to deduplicate concurrent callers.
+  if (!inflightDownload) {
+    log.info("No bun binary found, downloading…");
+    const binDir = getBinDir();
+    inflightDownload = downloadBun(binDir).finally(() => {
+      inflightDownload = undefined;
+    });
+  }
+  const downloaded = await inflightDownload;
+  cachedBunPath = downloaded;
+  return downloaded;
+}
+
+/**
+ * Synchronous check for an already-available bun binary.
+ * Returns the path if found, undefined otherwise. Does NOT download.
+ */
+export function findBun(): string | undefined {
+  // 1. process.execPath if it is the bun CLI itself (dev mode)
+  const execBase = basename(process.execPath);
+  if (execBase === "bun" || execBase === "bun.exe") {
+    return process.execPath;
+  }
+
+  // 2. Previously downloaded copy
+  const downloaded = join(getBinDir(), "bun");
+  if (existsSync(downloaded)) return downloaded;
+
+  // 3. Common install locations
+  const home = homedir();
+  for (const p of [
+    join(home, ".bun", "bin", "bun"),
+    "/opt/homebrew/bin/bun",
+    "/usr/local/bin/bun",
+  ]) {
+    if (existsSync(p)) return p;
+  }
+
+  // 4. PATH lookup
+  const which = Bun.which("bun");
+  if (which) return which;
+
+  return undefined;
+}
+
+/**
+ * Download a pinned bun release into the given directory.
+ * Returns the absolute path to the downloaded binary.
+ */
+async function downloadBun(installDir: string): Promise<string> {
+  const os = platform();
+  const cpu = arch() === "arm64" ? "aarch64" : arch();
+  const target = `${os}-${cpu}`;
+  const url = `https://github.com/oven-sh/bun/releases/download/bun-v${BUN_VERSION}/bun-${target}.zip`;
+
+  log.info({ url, target, bunVersion: BUN_VERSION }, "Downloading bun binary");
+
+  const response = await fetch(url, { redirect: "follow" });
+  if (!response.ok) {
+    throw new Error(
+      `Failed to download bun: ${response.status} ${response.statusText}`,
+    );
+  }
+
+  const zipData = await response.arrayBuffer();
+  mkdirSync(installDir, { recursive: true });
+
+  const tmpZip = join(installDir, `bun-download-${Date.now()}.zip`);
+  writeFileSync(tmpZip, Buffer.from(zipData));
+
+  try {
+    const proc = Bun.spawn({
+      cmd: ["unzip", "-o", tmpZip, "-d", installDir],
+      stdout: "ignore",
+      stderr: "pipe",
+    });
+    await proc.exited;
+    if (proc.exitCode !== 0) {
+      const stderr = await new Response(proc.stderr).text();
+      throw new Error(`Failed to extract bun zip: ${stderr}`);
+    }
+
+    // Move binary from bun-{target}/bun to installDir/bun
+    const extractedBun = join(installDir, `bun-${target}`, "bun");
+    const finalPath = join(installDir, "bun");
+    if (existsSync(extractedBun)) {
+      // Remove old binary first to avoid "Text file busy" on some systems
+      if (existsSync(finalPath)) {
+        rmSync(finalPath);
+      }
+      renameSync(extractedBun, finalPath);
+      rmSync(join(installDir, `bun-${target}`), {
+        recursive: true,
+        force: true,
+      });
+    } else if (!existsSync(finalPath)) {
+      throw new Error(
+        `Bun binary not found at expected path after extraction: ${extractedBun}`,
+      );
+    }
+
+    chmodSync(finalPath, 0o755);
+
+    log.info({ path: finalPath }, "Bun binary downloaded successfully");
+    return finalPath;
+  } finally {
+    try {
+      rmSync(tmpZip);
+    } catch {
+      /* ignore cleanup failure */
+    }
+  }
+}