@vellumai/assistant 0.5.16 → 0.6.1

package/src/tools/terminal/parser.ts

@@ -49,9 +49,29 @@ const SCRIPT_INTERPRETERS = new Set([
   "deno",
   "bun",
 ]);
-// Flags that make an interpreter execute code from an inline argument or stdin
-// rather than from a file (e.g. `python -c 'code'`, `node -e 'code'`).
-const STDIN_EXEC_FLAGS = new Set(["-c", "-e", "-"]);
+// Flags that make an interpreter read code from stdin rather than from a file.
+const STDIN_EXEC_FLAGS = new Set(["-"]);
+// Per-interpreter flags that provide code inline as an argument (e.g.
+// `python -c 'code'`, `node -e 'code'`). When these are present the
+// interpreter is NOT reading code from stdin — stdin is just data, so piping
+// into the interpreter is no more dangerous than piping into grep or jq.
+//
+// This must be interpreter-specific because the same flag can mean different
+// things across interpreters. For example, `perl -c` is syntax-check mode
+// (still reads code from stdin and executes BEGIN blocks), while
+// `python -c` provides inline code. Similarly, `ruby -c` is syntax-check.
+const INTERPRETER_INLINE_CODE_FLAGS: ReadonlyMap<
+  string,
+  ReadonlySet<string>
+> = new Map([
+  ["python", new Set(["-c"])],
+  ["python3", new Set(["-c"])],
+  ["ruby", new Set(["-e"])],
+  ["perl", new Set(["-e"])],
+  ["node", new Set(["-e"])],
+  ["deno", new Set(["-e"])],
+  ["bun", new Set(["-e"])],
+]);
 // Per-interpreter flags that consume the next argument as a value (not a filename).
 // Mapped by interpreter name since flags differ across interpreters
 // (e.g. -I is standalone in Python but takes a value in Ruby).
@@ -353,18 +373,23 @@ function extractSegments(node: TSNode): CommandSegment[] {
 
 /**
  * Returns true when the interpreter args indicate stdin-exec mode - i.e. the
- * interpreter will read code from stdin (or from an inline -c/-e argument)
- * rather than from a file.  Concretely:
+ * interpreter will read code from stdin rather than from a file.  Concretely:
  *   - Any STDIN_EXEC_FLAGS present → stdin-exec
+ *   - Interpreter-specific inline code flag (-c/-e) → NOT stdin-exec
  *   - No positional (non-flag) arguments at all → stdin-exec (bare `python`)
  *   - Otherwise the first positional arg is a filename → NOT stdin-exec
  */
 function isStdinExecMode(interpreter: string, args: string[]): boolean {
   const valueFlags =
     INTERPRETER_VALUE_FLAGS.get(interpreter) ?? new Set<string>();
+  const inlineCodeFlags =
+    INTERPRETER_INLINE_CODE_FLAGS.get(interpreter) ?? new Set<string>();
   for (let i = 0; i < args.length; i++) {
     const arg = args[i];
     if (STDIN_EXEC_FLAGS.has(arg)) return true;
+    // Interpreter-specific inline code flags (e.g. python -c, node -e) mean
+    // the code is provided as an argument, not read from stdin.
+    if (inlineCodeFlags.has(arg)) return false;
     // First non-flag argument is a filename/module → file mode
     if (!arg.startsWith("-")) return false;
     // Flags like -W, -X consume the next token as their value - skip it

package/src/tools/terminal/safe-env.ts

@@ -8,7 +8,7 @@
 import { getGatewayInternalBaseUrl } from "../../config/env.js";
 import { getDataDir, getWorkspaceDir } from "../../util/platform.js";
 
-const SAFE_ENV_VARS = [
+export const SAFE_ENV_VARS = [
   "PATH",
   "HOME",
   "TERM",
@@ -35,7 +35,23 @@ const SAFE_ENV_VARS = [
   "CES_CREDENTIAL_URL",
   "CES_MANAGED_MODE",
   "IS_CONTAINERIZED",
+  "IS_PLATFORM",
   "CES_SERVICE_TOKEN",
+  "VELLUM_PROFILER_RUN_ID",
+  "VELLUM_PROFILER_MODE",
+  "VELLUM_PROFILER_MAX_BYTES",
+  "VELLUM_PROFILER_MAX_RUNS",
+  "VELLUM_PROFILER_MIN_FREE_MB",
+] as const;
+
+/**
+ * Keys that buildSanitizedEnv always injects into the returned env,
+ * independent of what is present in process.env.
+ */
+export const ALWAYS_INJECTED_ENV_VARS = [
+  "INTERNAL_GATEWAY_BASE_URL",
+  "VELLUM_DATA_DIR",
+  "VELLUM_WORKSPACE_DIR",
 ] as const;
 
 export function buildSanitizedEnv(): Record<string, string> {

package/src/tools/tool-manifest.ts

@@ -16,13 +16,15 @@ import { manageSecureCommandTool } from "./credential-execution/manage-secure-co
 import { runAuthenticatedCommandTool } from "./credential-execution/run-authenticated-command.js";
 import { credentialStoreTool } from "./credentials/vault.js";
 import { fileEditTool } from "./filesystem/edit.js";
+import { fileListTool } from "./filesystem/list.js";
 import { fileReadTool } from "./filesystem/read.js";
 import { fileWriteTool } from "./filesystem/write.js";
-import { memoryManageTool, memoryRecallTool } from "./memory/register.js";
+import { recallTool, rememberTool } from "./memory/register.js";
 import { webFetchTool } from "./network/web-fetch.js";
 import { webSearchTool } from "./network/web-search.js";
 import { skillExecuteTool } from "./skills/execute.js";
 import { skillLoadTool } from "./skills/load.js";
+import { notifyParentTool } from "./subagent/notify-parent.js";
 import { requestSystemPermissionTool } from "./system/request-permission.js";
 import { shellTool } from "./terminal/shell.js";
 import type { Tool } from "./types.js";
@@ -56,11 +58,13 @@ export const eagerModuleToolNames: string[] = [
   "file_read",
   "file_write",
   "file_edit",
+  "file_list",
   "web_search",
   "web_fetch",
   "skill_execute",
   "skill_load",
   "request_system_permission",
+  "notify_parent",
 ];
 
 // ── Explicit tool instances ─────────────────────────────────────────
@@ -76,15 +80,17 @@ export const explicitTools: Tool[] = [
   fileReadTool,
   fileWriteTool,
   fileEditTool,
+  fileListTool,
   webFetchTool,
   webSearchTool,
   skillExecuteTool,
   skillLoadTool,
   requestSystemPermissionTool,
   // Always-explicit tools
-  memoryManageTool,
-  memoryRecallTool,
+  rememberTool,
+  recallTool,
   credentialStoreTool,
+  notifyParentTool,
 ];
 
 // ── CES tools (feature-flag gated) ──────────────────────────────────

package/src/tools/types.ts

@@ -181,6 +181,8 @@ export interface ToolContext {
   hostBashProxy?: import("../daemon/host-bash-proxy.js").HostBashProxy;
   /** Optional proxy for delegating host_file_read/write/edit execution to a connected client (managed/cloud-hosted mode). */
   hostFileProxy?: import("../daemon/host-file-proxy.js").HostFileProxy;
+  /** True when the assistant is running as a platform-managed remote instance. Used to auto-approve sandboxed bash tools. */
+  isPlatformHosted?: boolean;
   /** CES RPC client for credential execution operations. When present, the executor can bridge CES approval flows. */
   cesClient?: CesClient;
 }

package/src/util/browser.ts

@@ -1,15 +1,30 @@
-import { isLinux, isMacOS } from "./platform.js";
+import { mkdirSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+
+import { getLogger } from "./logger.js";
+import { getSignalsDir } from "./platform.js";
+
+const log = getLogger("browser");
 
 /**
- * Open a URL in the user's default browser, falling back to printing the URL
- * to stderr on unsupported platforms.
+ * Open a URL on the user's host machine.
+ *
+ * Writes an `open_url` event to the `signals/emit-event` file so that the
+ * daemon's ConfigWatcher picks it up and publishes it to connected clients
+ * (e.g. the Swift macOS app) via the assistant event hub.
  */
-export function openInBrowser(url: string): void {
-  if (isMacOS()) {
-    Bun.spawn(["open", url], { stdout: "ignore", stderr: "ignore" });
-  } else if (isLinux()) {
-    Bun.spawn(["xdg-open", url], { stdout: "ignore", stderr: "ignore" });
-  } else {
-    process.stderr.write(`Open this URL to authorize:\n\n${url}\n`);
+export async function openInHostBrowser(url: string): Promise<void> {
+  try {
+    const signalsDir = getSignalsDir();
+    mkdirSync(signalsDir, { recursive: true });
+    writeFileSync(
+      join(signalsDir, "emit-event"),
+      JSON.stringify({ type: "open_url", url }),
+    );
+  } catch (err) {
+    log.warn(
+      { error: err instanceof Error ? err.message : String(err) },
+      "Failed to write open_url signal",
+    );
   }
 }

package/src/util/bun-runtime.ts

@@ -0,0 +1,172 @@
+/**
+ * Shared helper for locating or JIT-installing a standalone `bun` binary.
+ *
+ * Several subsystems (package resolver, hook runner, browser runtime,
+ * credential execution, embedding runtime) need to spawn `bun` as a child
+ * process. Inside a `bun build --compile` binary, `process.execPath` is the
+ * compiled app — not the bun CLI — and the user may not have bun on PATH.
+ *
+ * This module checks well-known locations first, and if none is found it
+ * downloads a pinned release from GitHub into $VELLUM_WORKSPACE_DIR/bin/.
+ */
+
+import {
+  chmodSync,
+  existsSync,
+  mkdirSync,
+  renameSync,
+  rmSync,
+  writeFileSync,
+} from "node:fs";
+import { arch, homedir, platform } from "node:os";
+import { basename, join } from "node:path";
+
+import { getLogger } from "./logger.js";
+import { getBinDir } from "./platform.js";
+
+const log = getLogger("bun-runtime");
+
+/** Pinned bun version to download when no system bun is available. */
+const BUN_VERSION = "1.2.0";
+
+/** Module-level cache so we only resolve/download once per process. */
+let cachedBunPath: string | undefined;
+
+/** In-flight download promise to deduplicate concurrent callers. */
+let inflightDownload: Promise<string> | undefined;
+
+/**
+ * Return a path to a usable `bun` binary, downloading one if necessary.
+ *
+ * Resolution order:
+ * 1. `process.execPath` if it IS the bun CLI (dev mode)
+ * 2. Previously downloaded copy at $VELLUM_WORKSPACE_DIR/bin/bun
+ * 3. Common install locations (~/.bun/bin/bun, /opt/homebrew/bin/bun, etc.)
+ * 4. `Bun.which("bun")` (PATH lookup)
+ * 5. Download from GitHub releases into $VELLUM_WORKSPACE_DIR/bin/
+ */
+export async function ensureBun(): Promise<string> {
+  if (cachedBunPath && existsSync(cachedBunPath)) {
+    return cachedBunPath;
+  }
+
+  const found = findBun();
+  if (found) {
+    cachedBunPath = found;
+    return found;
+  }
+
+  // No bun found anywhere — download it.
+  // Use an in-flight promise to deduplicate concurrent callers.
+  if (!inflightDownload) {
+    log.info("No bun binary found, downloading…");
+    const binDir = getBinDir();
+    inflightDownload = downloadBun(binDir).finally(() => {
+      inflightDownload = undefined;
+    });
+  }
+  const downloaded = await inflightDownload;
+  cachedBunPath = downloaded;
+  return downloaded;
+}
+
+/**
+ * Synchronous check for an already-available bun binary.
+ * Returns the path if found, undefined otherwise. Does NOT download.
+ */
+export function findBun(): string | undefined {
+  // 1. process.execPath if it is the bun CLI itself (dev mode)
+  const execBase = basename(process.execPath);
+  if (execBase === "bun" || execBase === "bun.exe") {
+    return process.execPath;
+  }
+
+  // 2. Previously downloaded copy
+  const downloaded = join(getBinDir(), "bun");
+  if (existsSync(downloaded)) return downloaded;
+
+  // 3. Common install locations
+  const home = homedir();
+  for (const p of [
+    join(home, ".bun", "bin", "bun"),
+    "/opt/homebrew/bin/bun",
+    "/usr/local/bin/bun",
+  ]) {
+    if (existsSync(p)) return p;
+  }
+
+  // 4. PATH lookup
+  const which = Bun.which("bun");
+  if (which) return which;
+
+  return undefined;
+}
+
+/**
+ * Download a pinned bun release into the given directory.
+ * Returns the absolute path to the downloaded binary.
+ */
+async function downloadBun(installDir: string): Promise<string> {
+  const os = platform();
+  const cpu = arch() === "arm64" ? "aarch64" : arch();
+  const target = `${os}-${cpu}`;
+  const url = `https://github.com/oven-sh/bun/releases/download/bun-v${BUN_VERSION}/bun-${target}.zip`;
+
+  log.info({ url, target, bunVersion: BUN_VERSION }, "Downloading bun binary");
+
+  const response = await fetch(url, { redirect: "follow" });
+  if (!response.ok) {
+    throw new Error(
+      `Failed to download bun: ${response.status} ${response.statusText}`,
+    );
+  }
+
+  const zipData = await response.arrayBuffer();
+  mkdirSync(installDir, { recursive: true });
+
+  const tmpZip = join(installDir, `bun-download-${Date.now()}.zip`);
+  writeFileSync(tmpZip, Buffer.from(zipData));
+
+  try {
+    const proc = Bun.spawn({
+      cmd: ["unzip", "-o", tmpZip, "-d", installDir],
+      stdout: "ignore",
+      stderr: "pipe",
+    });
+    await proc.exited;
+    if (proc.exitCode !== 0) {
+      const stderr = await new Response(proc.stderr).text();
+      throw new Error(`Failed to extract bun zip: ${stderr}`);
+    }
+
+    // Move binary from bun-{target}/bun to installDir/bun
+    const extractedBun = join(installDir, `bun-${target}`, "bun");
+    const finalPath = join(installDir, "bun");
+    if (existsSync(extractedBun)) {
+      // Remove old binary first to avoid "Text file busy" on some systems
+      if (existsSync(finalPath)) {
+        rmSync(finalPath);
+      }
+      renameSync(extractedBun, finalPath);
+      rmSync(join(installDir, `bun-${target}`), {
+        recursive: true,
+        force: true,
+      });
+    } else if (!existsSync(finalPath)) {
+      throw new Error(
+        `Bun binary not found at expected path after extraction: ${extractedBun}`,
+      );
+    }
+
+    chmodSync(finalPath, 0o755);
+
+    log.info({ path: finalPath }, "Bun binary downloaded successfully");
+    return finalPath;
+  } finally {
+    try {
+      rmSync(tmpZip);
+    } catch {
+      /* ignore cleanup failure */
+    }
+  }
+}

package/src/util/logger.ts

@@ -36,7 +36,7 @@ export type LogFileConfig = {
 
 const LOG_FILE_PREFIX = "assistant-";
 const LOG_FILE_SUFFIX = ".log";
-const LOG_FILE_PATTERN = /^assistant-(\d{4}-\d{2}-\d{2})\.log$/;
+export const LOG_FILE_PATTERN = /^assistant-(\d{4}-\d{2}-\d{2})\.log$/;
 
 function formatDate(date: Date): string {
   const y = date.getUTCFullYear();

package/src/util/platform.ts

@@ -25,16 +25,6 @@ export function getPlatformName(): string {
   return process.platform;
 }
 
-/**
- * Returns the platform-specific clipboard copy command, or null if
- * clipboard access is not supported on the current platform.
- */
-export function getClipboardCommand(): string | null {
-  if (isMacOS()) return "pbcopy";
-  if (isLinux()) return "xclip -selection clipboard";
-  return null;
-}
-
 /**
  * Normalize an assistant ID to its canonical form for DB operations.
  *
@@ -105,13 +95,25 @@ export function getInterfacesDir(): string {
 
 /**
  * Returns the sounds directory (~/.vellum/workspace/data/sounds).
- * Custom sound files and sound configuration live here. Sound files
- * can be large, so this directory is excluded from diagnostic exports.
+ * Custom sound files and sound configuration live here.
  */
 export function getSoundsDir(): string {
   return join(getWorkspaceDir(), "data", "sounds");
 }
 
+/** Returns the avatar directory ($VELLUM_WORKSPACE_DIR/data/avatar). */
+export function getAvatarDir(): string {
+  return join(getWorkspaceDir(), "data", "avatar");
+}
+
+/** Canonical filename for the custom avatar PNG. */
+export const AVATAR_IMAGE_FILENAME = "avatar-image.png";
+
+/** Returns the canonical avatar image path (~/.vellum/workspace/data/avatar/avatar-image.png). */
+export function getAvatarImagePath(): string {
+  return join(getAvatarDir(), AVATAR_IMAGE_FILENAME);
+}
+
 /**
  * Returns the TCP port the daemon should listen on for iOS clients.
  * Hardcoded default: 8765.
@@ -218,7 +220,7 @@ export function getHistoryPath(): string {
  * overrides, device approval lists — live here.
  *
  * This directory is:
- * - Outside the workspace (not included in diagnostic exports)
+ * - Outside the workspace
  * - Outside the sandbox write boundary (tools cannot modify it)
  * - Skipped in containerized mode (credentials via CES, trust via gateway)
  */
@@ -271,10 +273,6 @@ export function getEmbedWorkerPidPath(): string {
  * When the VELLUM_WORKSPACE_DIR env var is set, returns that value (used in
  * containerized deployments where the workspace is a separate volume).
  * Otherwise falls back to ~/.vellum/workspace.
- *
- * WARNING: The entire workspace directory is included in diagnostic log exports
- * ("Send logs to Vellum"). Do not store secrets, API keys, or sensitive
- * credentials here — use the credential store or ~/.vellum/protected/ instead.
  */
 export function getWorkspaceDir(): string {
   const override = getWorkspaceDirOverride();
@@ -315,6 +313,11 @@ export function getWorkspaceHooksDir(): string {
   return join(getWorkspaceDir(), "hooks");
 }
 
+/** Returns $VELLUM_WORKSPACE_DIR/routes — user-defined HTTP route handlers. */
+export function getWorkspaceRoutesDir(): string {
+  return join(getWorkspaceDir(), "routes");
+}
+
 /** Returns ~/.vellum/workspace/deprecated — transitional files slated for removal. */
 export function getDeprecatedDir(): string {
   return join(getWorkspaceDir(), "deprecated");
@@ -330,6 +333,35 @@ export function getWorkspacePromptPath(file: string): string {
   return join(getWorkspaceDir(), file);
 }
 
+// ── Profiler filesystem layout ──────────────────────────────────────────
+// Managed profiler runs live under <workspace>/data/profiler/. These
+// helpers enforce a single canonical layout so every runtime caller
+// resolves the same paths.
+
+/**
+ * Returns the profiler root directory (<workspace>/data/profiler).
+ * All profiler state (runs directory, global metadata) lives here.
+ */
+export function getProfilerRootDir(): string {
+  return join(getDataDir(), "profiler");
+}
+
+/**
+ * Returns the profiler runs directory (<workspace>/data/profiler/runs).
+ * Each completed or active profiler run gets its own sub-directory here.
+ */
+export function getProfilerRunsDir(): string {
+  return join(getProfilerRootDir(), "runs");
+}
+
+/**
+ * Returns the directory for a specific profiler run by ID
+ * (<workspace>/data/profiler/runs/<runId>).
+ */
+export function getProfilerRunDir(runId: string): string {
+  return join(getProfilerRunsDir(), runId);
+}
+
 export function ensureDataDir(): void {
   const root = vellumRoot();
   const workspace = getWorkspaceDir();
@@ -342,6 +374,7 @@ export function ensureDataDir(): void {
     join(workspace, "signals"),
     join(workspace, "hooks"),
     join(workspace, "skills"),
+    join(workspace, "routes"),
     join(workspace, "embedding-models"),
     join(workspace, "conversations"),
     join(workspace, "logs"),