@vellumai/assistant 0.5.16 → 0.6.1

package/src/notifications/adapters/macos.ts

@@ -37,6 +37,7 @@ const GUARDIAN_SENSITIVE_EVENT_PREFIXES = [
   "guardian.question",
   "ingress.escalation",
   "ingress.access_request",
+  "guardian.channel_activation",
 ] as const;
 
 export function isGuardianSensitiveEvent(sourceEventName: string): boolean {

package/src/notifications/copy-composer.ts

@@ -353,6 +353,15 @@ const TEMPLATES: Partial<Record<NotificationSourceEventName, CopyTemplate>> = {
     };
   },
 
+  "guardian.channel_activation": (payload) => {
+    const code = str(payload.verificationCode, "------");
+    const channel = str(payload.sourceChannel, "a channel");
+    return {
+      title: "Guardian Verification Code",
+      body: `Your ${channel} verification code is: ${code}\n\nEnter this code in your ${channel} chat to verify your identity as guardian.`,
+    };
+  },
+
   "ingress.access_request": (payload) => ({
     title: "Access Request",
     body: buildAccessRequestContractText(payload),
@@ -399,6 +408,92 @@ const TEMPLATES: Partial<Record<NotificationSourceEventName, CopyTemplate>> = {
     };
   },
 
+  "ingress.trusted_contact.guardian_decision": (payload) => {
+    const decision = str(payload.decision, "decided on");
+    const sourceChannel =
+      typeof payload.sourceChannel === "string"
+        ? payload.sourceChannel
+        : undefined;
+
+    const requesterDisplayName =
+      typeof payload.requesterDisplayName === "string" &&
+      payload.requesterDisplayName.length > 0
+        ? payload.requesterDisplayName
+        : undefined;
+    const requesterExternalUserId =
+      typeof payload.requesterExternalUserId === "string" &&
+      payload.requesterExternalUserId.length > 0
+        ? payload.requesterExternalUserId
+        : undefined;
+    const requesterLabel = sanitizeIdentityField(
+      requesterDisplayName ??
+        (sourceChannel === "slack" &&
+        requesterExternalUserId &&
+        /^U[A-Z0-9]+$/i.test(requesterExternalUserId)
+          ? `<@${requesterExternalUserId}>`
+          : requesterExternalUserId) ??
+        "Someone",
+    );
+
+    const decidedByDisplayName =
+      typeof payload.decidedByDisplayName === "string" &&
+      payload.decidedByDisplayName.length > 0
+        ? payload.decidedByDisplayName
+        : undefined;
+    const decidedByExternalUserId =
+      typeof payload.decidedByExternalUserId === "string" &&
+      payload.decidedByExternalUserId.length > 0
+        ? payload.decidedByExternalUserId
+        : undefined;
+    const decidedByLabel = sanitizeIdentityField(
+      decidedByDisplayName ??
+        (sourceChannel === "slack" &&
+        decidedByExternalUserId &&
+        /^U[A-Z0-9]+$/i.test(decidedByExternalUserId)
+          ? `<@${decidedByExternalUserId}>`
+          : decidedByExternalUserId) ??
+        "a guardian",
+    );
+
+    const verb = decision === "approved" ? "approved" : "denied";
+    return {
+      title: "Trusted Contact Decision",
+      body: `${requesterLabel}'s access request has been ${verb} by ${decidedByLabel}.`,
+    };
+  },
+
+  "ingress.trusted_contact.denied": (payload) => {
+    const sourceChannel =
+      typeof payload.sourceChannel === "string"
+        ? payload.sourceChannel
+        : undefined;
+
+    const requesterDisplayName =
+      typeof payload.requesterDisplayName === "string" &&
+      payload.requesterDisplayName.length > 0
+        ? payload.requesterDisplayName
+        : undefined;
+    const requesterExternalUserId =
+      typeof payload.requesterExternalUserId === "string" &&
+      payload.requesterExternalUserId.length > 0
+        ? payload.requesterExternalUserId
+        : undefined;
+    const requesterLabel = sanitizeIdentityField(
+      requesterDisplayName ??
+        (sourceChannel === "slack" &&
+        requesterExternalUserId &&
+        /^U[A-Z0-9]+$/i.test(requesterExternalUserId)
+          ? `<@${requesterExternalUserId}>`
+          : requesterExternalUserId) ??
+        "Someone",
+    );
+
+    return {
+      title: "Trusted Contact Denied",
+      body: `A trusted contact request from ${requesterLabel} has been denied.`,
+    };
+  },
+
   "ingress.escalation": (payload) => ({
     title: "Escalation",
     body:

package/src/notifications/decision-engine.ts

@@ -13,6 +13,7 @@ import { v4 as uuid } from "uuid";
 
 import { getDeliverableChannels } from "../channels/config.js";
 import { getConfig } from "../config/loader.js";
+import { listGuardianChannels } from "../contacts/contact-store.js";
 import { resolveGuardianPersona } from "../prompts/persona-resolver.js";
 import { buildCoreIdentityContext } from "../prompts/system-prompt.js";
 import {
@@ -73,6 +74,7 @@ function buildSystemPrompt(
   preferenceContext?: string,
   candidateContext?: string,
   identityContext?: string,
+  recipientNotes?: string,
 ): string {
   const sections: string[] = [
     `You are a notification routing engine. Given a signal describing an event, decide whether the user should be notified, on which channel(s), and compose the notification copy.`,
@@ -89,6 +91,16 @@ function buildSystemPrompt(
     );
   }
 
+  if (recipientNotes) {
+    sections.push(
+      ``,
+      `<recipient-context>`,
+      `The following are notes about the notification recipient. Use this context to tailor notification tone, formality, and content to the recipient's preferences.`,
+      recipientNotes,
+      `</recipient-context>`,
+    );
+  }
+
   if (identityContext) {
     sections.push(
       ``,
@@ -807,11 +819,34 @@ async function classifyWithLLM(
   const identityContext = rawIdentityContext
     ? truncate(rawIdentityContext, MAX_IDENTITY_CONTEXT_CHARS, "\n…[truncated]")
     : undefined;
+
+  // Resolve guardian contact notes for recipient context. Use the channel-
+  // agnostic guardian lookup so notes are available even when the only
+  // deliverable channel is "vellum" (which has no contact channel type).
+  let recipientNotes: string | undefined;
+  try {
+    const guardianResult = listGuardianChannels();
+    if (guardianResult?.contact.notes) {
+      recipientNotes = truncate(
+        guardianResult.contact.notes,
+        MAX_IDENTITY_CONTEXT_CHARS,
+        "\n…[truncated]",
+      );
+    }
+  } catch (err) {
+    const errMsg = err instanceof Error ? err.message : String(err);
+    log.warn(
+      { err: errMsg },
+      "Failed to resolve guardian contact notes, proceeding without recipient context",
+    );
+  }
+
   const systemPrompt = buildSystemPrompt(
     availableChannels,
     preferenceContext,
     candidateContext,
     identityContext,
+    recipientNotes,
   );
   const prompt = buildUserPrompt(signal);
   const tool = buildDecisionTool(availableChannels);

package/src/notifications/signal.ts

@@ -46,6 +46,11 @@ export const NOTIFICATION_SOURCE_EVENT_NAMES = [
     id: "guardian.question",
     description: "Guardian approval question requiring response",
   },
+  {
+    id: "guardian.channel_activation",
+    description:
+      "Guardian channel activation code delivered for /start verification",
+  },
   { id: "ingress.access_request", description: "Non-member requesting access" },
   {
     id: "ingress.access_request.callback_handoff",
@@ -155,9 +160,20 @@ export interface AccessRequestContextPayload {
   messagePreview: string | null;
 }
 
+export interface GuardianChannelActivationPayload {
+  verificationCode: string;
+  sourceChannel: string;
+  actorExternalId: string;
+  actorDisplayName: string | null;
+  actorUsername: string | null;
+  sessionId: string;
+  expiresAt: number;
+}
+
 export interface NotificationEventContextPayloadMap {
   "guardian.question": GuardianQuestionPayload;
   "ingress.access_request": AccessRequestContextPayload;
+  "guardian.channel_activation": GuardianChannelActivationPayload;
 }
 
 export type NotificationContextPayload<TEventName extends string = string> =

package/src/oauth/seed-providers.ts

@@ -90,6 +90,7 @@ const PROVIDER_SEED_DATA: Record<
       forbiddenScopes: [],
     },
     extraParams: { access_type: "offline", prompt: "consent" },
+    loopbackPort: 17321,
     managedServiceConfigKey: "google-oauth",
     injectionTemplates: [
       {
@@ -619,6 +620,7 @@ const PROVIDER_SEED_DATA: Record<
       "Mail.Send",
       "Calendars.Read",
       "Calendars.ReadWrite",
+      "MailboxSettings.ReadWrite",
     ],
     scopePolicy: {
       allowAdditionalScopes: true,
@@ -640,7 +642,6 @@ const PROVIDER_SEED_DATA: Record<
     appType: "App registration",
     identityUrl: "https://graph.microsoft.com/v1.0/me",
     identityResponsePaths: ["mail", "userPrincipalName"],
-    featureFlag: "outlook-oauth-integration",
   },
 
   // Manual-token providers: these don't use OAuth2 flows but need provider

package/src/permissions/checker.ts

@@ -1,6 +1,6 @@
 import { createHash } from "node:crypto";
 import { homedir } from "node:os";
-import { dirname, resolve } from "node:path";
+import { dirname, join, resolve } from "node:path";
 
 import { isAssistantFeatureFlagEnabled } from "../config/assistant-feature-flags.js";
 import { getConfig } from "../config/loader.js";
@@ -19,7 +19,7 @@ import {
   looksLikePathOnlyInput,
 } from "../tools/network/url-safety.js";
 import { getTool } from "../tools/registry.js";
-import { getWorkspaceHooksDir } from "../util/platform.js";
+import { getDeprecatedDir, getWorkspaceHooksDir } from "../util/platform.js";
 import {
   buildShellAllowlistOptions,
   buildShellCommandCandidates,
@@ -677,7 +677,7 @@ export async function classifyRisk(
     }
   }
 
-  const result = await classifyRiskUncached(
+  let result = await classifyRiskUncached(
     toolName,
     input,
     workingDir,
@@ -685,6 +685,17 @@ export async function classifyRisk(
     manifestOverride,
   );
 
+  // Proxied bash commands route through the credential proxy which handles
+  // per-request approval separately. Cap the bash tool's own risk at Medium
+  // so trust rules can auto-allow the command execution.
+  if (
+    toolName === "bash" &&
+    input.network_mode === "proxied" &&
+    result === RiskLevel.High
+  ) {
+    result = RiskLevel.Medium;
+  }
+
   if (cacheKey) {
     if (riskCache.size >= RISK_CACHE_MAX) {
       const oldest = riskCache.keys().next().value;
@@ -703,7 +714,13 @@ async function classifyRiskUncached(
   preParsed?: ParsedCommand,
   manifestOverride?: ManifestOverride,
 ): Promise<RiskLevel> {
-  if (toolName === "file_read") return RiskLevel.Low;
+  if (toolName === "file_read") {
+    const filePath = getStringField(input, "path", "file_path");
+    if (isActorTokenSigningKeyPath(filePath, workingDir)) {
+      return RiskLevel.High;
+    }
+    return RiskLevel.Low;
+  }
   if (toolName === "file_write" || toolName === "file_edit") {
     const filePath = getStringField(input, "path", "file_path");
     if (
@@ -937,6 +954,21 @@ async function classifyRiskUncached(
   return RiskLevel.Medium;
 }
 
+function isActorTokenSigningKeyPath(
+  filePath: string | undefined,
+  workingDir?: string,
+): boolean {
+  if (!filePath) return false;
+  const cwd = workingDir ?? process.cwd();
+  const resolvedPath = resolve(cwd, filePath);
+  const signingKeyPaths = [
+    join(homedir(), ".vellum", "protected", "actor-token-signing-key"),
+    join(getDeprecatedDir(), "actor-token-signing-key"),
+    resolve(cwd, "deprecated", "actor-token-signing-key"),
+  ];
+  return signingKeyPaths.includes(resolvedPath);
+}
+
 export async function check(
   toolName: string,
   input: Record<string, unknown>,

package/src/permissions/defaults.ts

@@ -287,11 +287,11 @@ export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
     }),
   );
 
-  // memory_recall is a read-only tool — always allow without prompting.
+  // recall is a read-only tool — always allow without prompting.
   const memoryRecallRule: DefaultRuleTemplate = {
-    id: "default:allow-memory_recall-global",
-    tool: "memory_recall",
-    pattern: "memory_recall:*",
+    id: "default:allow-recall-global",
+    tool: "recall",
+    pattern: "recall:*",
     scope: "everywhere",
     decision: "allow",
     priority: 100,

package/src/permissions/permission-mode-store.ts

@@ -0,0 +1,180 @@
+/**
+ * Singleton runtime store for the two-axis permission mode.
+ *
+ * Reads initial state from the `permissions` section of config.json on
+ * initialization and persists mutations back to the config file via the
+ * raw-config read/write helpers so env-var–derived keys are never leaked
+ * to disk.
+ *
+ * Downstream consumers (e.g. SSE broadcast) register change listeners
+ * via `onModeChanged()`.
+ */
+
+import {
+  invalidateConfigCache,
+  loadConfig,
+  loadRawConfig,
+  saveRawConfig,
+} from "../config/loader.js";
+import { getLogger } from "../util/logger.js";
+import type { PermissionMode } from "./permission-mode.js";
+import { DEFAULT_PERMISSION_MODE } from "./permission-mode.js";
+
+const log = getLogger("permission-mode-store");
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+export type ModeChangeListener = (mode: PermissionMode) => void;
+
+// ---------------------------------------------------------------------------
+// Module-level state
+// ---------------------------------------------------------------------------
+
+let currentMode: PermissionMode = { ...DEFAULT_PERMISSION_MODE };
+let initialized = false;
+const listeners: ModeChangeListener[] = [];
+
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+
+function notifyListeners(): void {
+  const snapshot = { ...currentMode };
+  for (const listener of listeners) {
+    try {
+      listener(snapshot);
+    } catch (err) {
+      log.error({ err }, "Error in permission mode change listener");
+    }
+  }
+}
+
+/**
+ * Persist the current in-memory permission mode to config.json.
+ *
+ * Uses the raw-config pattern (loadRawConfig → mutate → saveRawConfig) so
+ * that env-var–derived fields (API keys, dataDir) are never written to disk.
+ */
+function persistToConfig(): void {
+  try {
+    const raw = loadRawConfig();
+
+    // Ensure the permissions object exists
+    if (
+      raw.permissions == null ||
+      typeof raw.permissions !== "object" ||
+      Array.isArray(raw.permissions)
+    ) {
+      raw.permissions = {};
+    }
+
+    const permissions = raw.permissions as Record<string, unknown>;
+    permissions.askBeforeActing = currentMode.askBeforeActing;
+    permissions.hostAccess = currentMode.hostAccess;
+
+    saveRawConfig(raw);
+
+    // Invalidate the cached config so the next loadConfig() picks up the
+    // persisted values rather than returning stale in-memory state.
+    invalidateConfigCache();
+  } catch (err) {
+    log.error({ err }, "Failed to persist permission mode to config");
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Initialize the store from the current config. Safe to call multiple times;
+ * subsequent calls are no-ops unless `resetForTesting()` has been called.
+ */
+export function initPermissionModeStore(): void {
+  if (initialized) return;
+
+  try {
+    const config = loadConfig();
+    currentMode = {
+      askBeforeActing: config.permissions.askBeforeActing,
+      hostAccess: config.permissions.hostAccess,
+    };
+  } catch (err) {
+    log.warn(
+      { err },
+      "Failed to load permission mode from config; using defaults",
+    );
+    currentMode = { ...DEFAULT_PERMISSION_MODE };
+  }
+
+  initialized = true;
+}
+
+/**
+ * Return the current permission mode. Initializes from config on first call
+ * if `initPermissionModeStore()` hasn't been called yet.
+ */
+export function getMode(): PermissionMode {
+  if (!initialized) {
+    initPermissionModeStore();
+  }
+  return { ...currentMode };
+}
+
+/**
+ * Update the `askBeforeActing` axis. Persists to config.json and notifies
+ * change listeners.
+ */
+export function setAskBeforeActing(value: boolean): void {
+  if (!initialized) {
+    initPermissionModeStore();
+  }
+
+  if (currentMode.askBeforeActing === value) return;
+
+  currentMode.askBeforeActing = value;
+  persistToConfig();
+  notifyListeners();
+}
+
+/**
+ * Update the `hostAccess` axis. Persists to config.json and notifies
+ * change listeners.
+ */
+export function setHostAccess(value: boolean): void {
+  if (!initialized) {
+    initPermissionModeStore();
+  }
+
+  if (currentMode.hostAccess === value) return;
+
+  currentMode.hostAccess = value;
+  persistToConfig();
+  notifyListeners();
+}
+
+/**
+ * Register a callback that fires whenever the permission mode changes.
+ * Returns an unsubscribe function.
+ */
+export function onModeChanged(callback: ModeChangeListener): () => void {
+  listeners.push(callback);
+  return () => {
+    const idx = listeners.indexOf(callback);
+    if (idx >= 0) {
+      listeners.splice(idx, 1);
+    }
+  };
+}
+
+/**
+ * Reset the store to uninitialized state. **Test-only** — production code
+ * should never call this.
+ */
+export function resetForTesting(): void {
+  currentMode = { ...DEFAULT_PERMISSION_MODE };
+  initialized = false;
+  listeners.length = 0;
+}

package/src/permissions/permission-mode.ts

@@ -0,0 +1,31 @@
+import { z } from "zod";
+
+/**
+ * Two-axis permission model:
+ * - `askBeforeActing` — LLM behavior toggle: when true the assistant checks in
+ *   with the user before taking actions.
+ * - `hostAccess` — System-enforced gate: when true the assistant can execute
+ *   commands on the host machine without prompting.
+ */
+export type PermissionMode = {
+  askBeforeActing: boolean;
+  hostAccess: boolean;
+};
+
+export const DEFAULT_PERMISSION_MODE: PermissionMode = {
+  askBeforeActing: true,
+  hostAccess: false,
+};
+
+export const PermissionModeSchema = z.object({
+  askBeforeActing: z
+    .boolean({ error: "permissionMode.askBeforeActing must be a boolean" })
+    .default(true)
+    .describe("Whether the assistant should check in before taking actions"),
+  hostAccess: z
+    .boolean({ error: "permissionMode.hostAccess must be a boolean" })
+    .default(false)
+    .describe(
+      "Whether the assistant can execute commands on the host machine without prompting",
+    ),
+});

package/src/permissions/workspace-policy.ts

@@ -74,12 +74,21 @@ const HOST_TOOLS = new Set([
   "host_file_write",
   "host_file_edit",
   "host_bash",
+  "computer_use_run_applescript",
 ]);
 
+/**
+ * Check whether a tool name is a host-level tool that requires the
+ * `hostAccess` permission to execute.
+ */
+export function isHostTool(toolName: string): boolean {
+  return HOST_TOOLS.has(toolName);
+}
+
 /** Safe local-only tools that are always workspace-scoped. */
 const ALWAYS_SCOPED_TOOLS = new Set([
   "skill_load",
-  "memory_recall",
+  "recall",
   "ui_update",
   "ui_dismiss",
 ]);

package/src/playbooks/playbook-compiler.ts

@@ -1,20 +1,20 @@
 /**
- * Compile all active playbook memory items into a triage context block
+ * Compile all active playbook graph nodes into a triage context block
  * that can be injected into the system prompt alongside the contact
  * graph.
  */
 
-import { and, desc, eq, isNull } from "drizzle-orm";
+import { and, eq, sql } from "drizzle-orm";
 
 import { getDb } from "../memory/db.js";
-import { memoryItems } from "../memory/schema.js";
+import { memoryGraphNodes } from "../memory/schema.js";
 import type { Playbook } from "./types.js";
 import { parsePlaybookStatement } from "./types.js";
 
 export interface CompiledPlaybooks {
   /** Formatted text block ready for system prompt injection. */
   text: string;
-  /** Total number of active playbook items found. */
+  /** Total number of active playbook nodes found. */
   totalCount: number;
   /** Number of playbooks successfully parsed and included. */
   includedCount: number;
@@ -26,8 +26,7 @@ export interface CompilePlaybooksOptions {
 
 interface PlaybookRow {
   id: string;
-  subject: string;
-  statement: string;
+  content: string;
 }
 
 export function compilePlaybooks(
@@ -38,31 +37,33 @@ export function compilePlaybooks(
 
   const rows: PlaybookRow[] = db
     .select({
-      id: memoryItems.id,
-      subject: memoryItems.subject,
-      statement: memoryItems.statement,
+      id: memoryGraphNodes.id,
+      content: memoryGraphNodes.content,
     })
-    .from(memoryItems)
+    .from(memoryGraphNodes)
     .where(
       and(
-        eq(memoryItems.kind, "playbook"),
-        eq(memoryItems.status, "active"),
-        eq(memoryItems.scopeId, scopeId),
-        isNull(memoryItems.invalidAt),
+        eq(memoryGraphNodes.scopeId, scopeId),
+        sql`${memoryGraphNodes.sourceConversations} LIKE '%playbook:%'`,
+        sql`${memoryGraphNodes.fidelity} != 'gone'`,
       ),
     )
-    .orderBy(desc(memoryItems.importance))
+    .orderBy(sql`${memoryGraphNodes.significance} DESC`)
     .all();
 
   if (rows.length === 0) {
     return { text: "", totalCount: 0, includedCount: 0 };
   }
 
-  const parsed: Array<{ id: string; subject: string; playbook: Playbook }> = [];
+  const parsed: Array<{ id: string; playbook: Playbook }> = [];
   for (const row of rows) {
-    const playbook = parsePlaybookStatement(row.statement);
+    // Content format: "Playbook: <trigger>\n<json statement>"
+    const newlineIdx = row.content.indexOf("\n");
+    if (newlineIdx === -1) continue;
+    const statement = row.content.slice(newlineIdx + 1);
+    const playbook = parsePlaybookStatement(statement);
     if (playbook) {
-      parsed.push({ id: row.id, subject: row.subject, playbook });
+      parsed.push({ id: row.id, playbook });
     }
   }
 

package/src/playbooks/types.ts

@@ -2,9 +2,10 @@
  * Action Playbook — a structured trigger→action rule that tells the
  * triage engine how to handle incoming messages matching a pattern.
  *
- * Playbooks are stored as memory items with kind='playbook'. The
- * structured fields below are serialized into the statement column as
- * JSON, while the subject column holds a human-readable label.
+ * Playbooks are stored as memory_graph_nodes with
+ * sourceConversations containing a "playbook:{nodeId}" entry. The
+ * content column holds "Playbook: <trigger>\n<json>" where the JSON
+ * encodes the structured fields below.
  */
 
 export interface Playbook {