@vellumai/assistant 0.5.16 → 0.6.1

package/src/__tests__/checker.test.ts

@@ -170,17 +170,39 @@ describe("Permission Checker", () => {
   // ── classifyRisk ────────────────────────────────────────────────
 
   describe("classifyRisk", () => {
-    // file_read is always low
+    // file_read is low risk except for signing-key material
     describe("file_read", () => {
-      test("file_read is always low risk", async () => {
+      test("file_read is low risk for regular files", async () => {
         const risk = await classifyRisk("file_read", { path: "/etc/passwd" });
         expect(risk).toBe(RiskLevel.Low);
       });
 
-      test("file_read with any path is low risk", async () => {
+      test("file_read with arbitrary non-key path is low risk", async () => {
         const risk = await classifyRisk("file_read", { path: "/tmp/safe.txt" });
         expect(risk).toBe(RiskLevel.Low);
       });
+
+      test("file_read of workspace signing key path is high risk", async () => {
+        const workspaceDir = join(checkerTestDir, "workspace");
+        const risk = await classifyRisk(
+          "file_read",
+          { path: "deprecated/actor-token-signing-key" },
+          workspaceDir,
+        );
+        expect(risk).toBe(RiskLevel.High);
+      });
+
+      test("file_read of legacy protected signing key path is high risk", async () => {
+        const risk = await classifyRisk("file_read", {
+          path: join(
+            homedir(),
+            ".vellum",
+            "protected",
+            "actor-token-signing-key",
+          ),
+        });
+        expect(risk).toBe(RiskLevel.High);
+      });
     });
 
     // file_write is always low (sandboxed)
@@ -4378,7 +4400,7 @@ describe("Permission Checker", () => {
   });
 });
 
-describe("bash network_mode=proxied — no special-casing", () => {
+describe("bash network_mode=proxied — risk capped at medium", () => {
   beforeEach(() => {
     clearCache();
     testConfig.permissions = { mode: "workspace" };
@@ -4386,8 +4408,6 @@ describe("bash network_mode=proxied — no special-casing", () => {
   });
 
   test("proxied bash follows normal rules (auto-allowed by default rule)", async () => {
-    // Proxied bash is no longer force-prompted — the default allow-bash rule
-    // auto-allows low/medium risk commands regardless of network_mode.
     const result = await check(
       "bash",
       { command: "curl https://api.example.com", network_mode: "proxied" },
@@ -4396,6 +4416,41 @@ describe("bash network_mode=proxied — no special-casing", () => {
     expect(result.decision).toBe("allow");
   });
 
+  test("proxied bash caps high-risk commands to medium", async () => {
+    // pipe-to-interpreter (stdin exec) is normally High risk, but proxied mode caps at Medium
+    const risk = await classifyRisk("bash", {
+      command: "cat exploit.py | python3",
+      network_mode: "proxied",
+    });
+    expect(risk).toBe(RiskLevel.Medium);
+  });
+
+  test("pipe to python3 -c is not high risk (inline code, not stdin exec)", async () => {
+    const risk = await classifyRisk("bash", {
+      command: 'cat data.json | python3 -c "import sys; print(sys.stdin.read())"',
+    });
+    expect(risk).toBe(RiskLevel.Low);
+  });
+
+  test("pipe to python3 without -c is high risk (stdin exec)", async () => {
+    const risk = await classifyRisk("bash", {
+      command: "cat exploit.py | python3",
+    });
+    expect(risk).toBe(RiskLevel.High);
+  });
+
+  test("proxied bash with high-risk command is auto-allowed by default rule", async () => {
+    const result = await check(
+      "bash",
+      {
+        command: "cat exploit.py | python3",
+        network_mode: "proxied",
+      },
+      "/tmp",
+    );
+    expect(result.decision).toBe("allow");
+  });
+
   test("host_bash with network_mode=proxied follows normal flow", async () => {
     addRule("host_bash", "**", "everywhere");
     const result = await check(
@@ -4768,15 +4823,14 @@ describe("workspace mode — auto-allow workspace-scoped operations", () => {
     }
   });
 
-  // ── proxied bash — follows normal rules (no special-casing) ──
+  // ── proxied bash — risk capped at medium ──
 
-  test("bash with network_mode=proxied → allow (follows normal rules in workspace mode)", async () => {
+  test("bash with network_mode=proxied → allow (risk capped at medium)", async () => {
     const result = await check(
       "bash",
       { command: "curl https://api.example.com", network_mode: "proxied" },
       workspaceDir,
     );
-    // Default allow-bash rule auto-allows; proxied mode is not special-cased.
     expect(result.decision).toBe("allow");
   });
 

package/src/__tests__/clawhub.test.ts

@@ -1,4 +1,10 @@
-import { existsSync, mkdirSync, rmSync, writeFileSync } from "node:fs";
+import {
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  rmSync,
+  writeFileSync,
+} from "node:fs";
 import { join } from "node:path";
 import { describe, expect, test } from "bun:test";
 import { mock } from "bun:test";
@@ -15,9 +21,9 @@ mock.module("../util/logger.js", () => ({
 import {
   clawhubInspect,
   clawhubInstall,
-  loadIntegrityManifest,
   verifyAndRecordSkillHash,
 } from "../skills/clawhub.js";
+import type { SkillInstallMeta } from "../skills/install-meta.js";
 
 // ---------------------------------------------------------------------------
 // Slug validation (exercised through public API)
@@ -92,58 +98,65 @@ describe("clawhubInspect slug validation", () => {
 });
 
 // ---------------------------------------------------------------------------
-// Integrity manifest edge cases — tested via verifyAndRecordSkillHash
-// which is the code path that reads/writes the manifest.
+// Content hash verification — tested via verifyAndRecordSkillHash
+// which reads legacy .integrity.json but always writes to install-meta.json.
 // ---------------------------------------------------------------------------
 
-describe("integrity manifest", () => {
+describe("content hash verification", () => {
   function createSkillFiles(slug: string): void {
     const skillDir = join(TEST_DIR, "skills", slug);
     mkdirSync(skillDir, { recursive: true });
     writeFileSync(join(skillDir, "SKILL.md"), "# Test Skill\n", "utf-8");
   }
 
+  function readSkillInstallMeta(slug: string): SkillInstallMeta {
+    const metaPath = join(TEST_DIR, "skills", slug, "install-meta.json");
+    return JSON.parse(readFileSync(metaPath, "utf-8")) as SkillInstallMeta;
+  }
+
   test("malformed integrity JSON is handled gracefully", () => {
     mkdirSync(join(TEST_DIR, "skills"), { recursive: true });
     const integrityPath = join(TEST_DIR, "skills", ".integrity.json");
     writeFileSync(integrityPath, "{not valid json!!!", "utf-8");
     createSkillFiles("valid-slug");
 
-    // Should not throw — malformed manifest is replaced with a fresh one
+    // Should not throw — malformed legacy manifest is ignored; install-meta.json is created
     verifyAndRecordSkillHash("valid-slug");
 
-    // Manifest should now contain a valid entry
-    const manifest = loadIntegrityManifest();
-    expect(manifest["valid-slug"]).toBeDefined();
-    expect(manifest["valid-slug"].sha256).toMatch(/^v2:[0-9a-f]{64}$/);
+    // install-meta.json should now contain a valid hash
+    const meta = readSkillInstallMeta("valid-slug");
+    expect(meta.contentHash).toMatch(/^v2:[0-9a-f]{64}$/);
+    expect(meta.origin).toBe("clawhub");
+    expect(meta.slug).toBe("valid-slug");
   });
 
-  test("missing integrity manifest is created on first install", () => {
+  test("install-meta.json is created on first hash verification for skills without one", () => {
     const skillsDir = join(TEST_DIR, "skills");
     mkdirSync(skillsDir, { recursive: true });
-    const integrityPath = join(skillsDir, ".integrity.json");
-    // Remove any manifest left by earlier tests so we test the fresh-creation path
-    rmSync(integrityPath, { force: true });
-    expect(existsSync(integrityPath)).toBe(false);
     createSkillFiles("new-skill");
+    const metaPath = join(skillsDir, "new-skill", "install-meta.json");
+    // Remove any install-meta left by earlier tests
+    rmSync(metaPath, { force: true });
+    expect(existsSync(metaPath)).toBe(false);
 
     verifyAndRecordSkillHash("new-skill");
 
-    // Manifest should now exist with the skill's hash
-    expect(existsSync(integrityPath)).toBe(true);
-    const manifest = loadIntegrityManifest();
-    expect(manifest["new-skill"]).toBeDefined();
-    expect(manifest["new-skill"].sha256).toMatch(/^v2:[0-9a-f]{64}$/);
+    // install-meta.json should now exist with the skill's hash
+    expect(existsSync(metaPath)).toBe(true);
+    const meta = readSkillInstallMeta("new-skill");
+    expect(meta.contentHash).toMatch(/^v2:[0-9a-f]{64}$/);
+    expect(meta.origin).toBe("clawhub");
+    expect(meta.slug).toBe("new-skill");
   });
 
   test("re-install with same content preserves hash", () => {
     createSkillFiles("stable-skill");
 
     verifyAndRecordSkillHash("stable-skill");
-    const first = loadIntegrityManifest()["stable-skill"].sha256;
+    const first = readSkillInstallMeta("stable-skill").contentHash;
 
     verifyAndRecordSkillHash("stable-skill");
-    const second = loadIntegrityManifest()["stable-skill"].sha256;
+    const second = readSkillInstallMeta("stable-skill").contentHash;
 
     expect(first).toBe(second);
   });
@@ -151,7 +164,7 @@ describe("integrity manifest", () => {
   test("re-install with changed content updates hash", () => {
     createSkillFiles("changing-skill");
     verifyAndRecordSkillHash("changing-skill");
-    const first = loadIntegrityManifest()["changing-skill"].sha256;
+    const first = readSkillInstallMeta("changing-skill").contentHash;
 
     // Modify skill content
     writeFileSync(
@@ -160,8 +173,25 @@ describe("integrity manifest", () => {
       "utf-8",
     );
     verifyAndRecordSkillHash("changing-skill");
-    const second = loadIntegrityManifest()["changing-skill"].sha256;
+    const second = readSkillInstallMeta("changing-skill").contentHash;
 
     expect(first).not.toBe(second);
   });
+
+  test(".integrity.json is never written to", () => {
+    const skillsDir = join(TEST_DIR, "skills");
+    mkdirSync(skillsDir, { recursive: true });
+    const integrityPath = join(skillsDir, ".integrity.json");
+    // Remove any legacy manifest
+    rmSync(integrityPath, { force: true });
+    createSkillFiles("no-integrity-write");
+
+    verifyAndRecordSkillHash("no-integrity-write");
+
+    // .integrity.json should NOT have been created
+    expect(existsSync(integrityPath)).toBe(false);
+    // But install-meta.json should exist
+    const metaPath = join(skillsDir, "no-integrity-write", "install-meta.json");
+    expect(existsSync(metaPath)).toBe(true);
+  });
 });

package/src/__tests__/cli-command-risk-guard.test.ts

@@ -208,6 +208,20 @@ describe("CLI command risk guard: elevated assistant subcommands", () => {
     }
   });
 
+  test("--help used as option value does not downgrade credentials reveal risk", async () => {
+    const risk = await classifyRisk("bash", {
+      command: "assistant credentials reveal 123 --service --help",
+    });
+    expect(risk).toBe(RiskLevel.High);
+  });
+
+  test("-h used as option value does not downgrade oauth mode --set risk", async () => {
+    const risk = await classifyRisk("bash", {
+      command: "assistant oauth mode --set -h",
+    });
+    expect(risk).toBe(RiskLevel.High);
+  });
+
   test("non-sensitive oauth subcommands remain Low risk", async () => {
     const lowRiskOauthCommands = [
       "assistant oauth apps",

package/src/__tests__/config-schema.test.ts

@@ -105,7 +105,7 @@ describe("AssistantConfigSchema", () => {
       shellMaxTimeoutSec: 600,
       permissionTimeoutSec: 300,
       toolExecutionTimeoutSec: 120,
-      providerStreamTimeoutSec: 300,
+      providerStreamTimeoutSec: 1800,
     });
     expect(result.sandbox).toEqual({
       enabled: false,
@@ -169,6 +169,7 @@ describe("AssistantConfigSchema", () => {
       enqueueIntervalMs: 6 * 60 * 60 * 1000,
       supersededItemRetentionMs: 30 * 24 * 60 * 60 * 1000,
       conversationRetentionDays: 0,
+      llmRequestLogRetentionMs: 7 * 24 * 60 * 60 * 1000,
     });
   });
 
@@ -421,6 +422,8 @@ describe("AssistantConfigSchema", () => {
     const result = AssistantConfigSchema.parse({});
     expect(result.permissions).toEqual({
       mode: "workspace",
+      askBeforeActing: true,
+      hostAccess: false,
     });
   });
 
@@ -1128,6 +1131,8 @@ describe("loadConfig with schema validation", () => {
     const config = loadConfig();
     expect(config.permissions).toEqual({
       mode: "workspace",
+      askBeforeActing: true,
+      hostAccess: false,
     });
   });
 

package/src/__tests__/config-set-platform-guard.test.ts

@@ -0,0 +1,302 @@
+import { beforeEach, describe, expect, mock, test } from "bun:test";
+
+import { Command } from "commander";
+
+// ---------------------------------------------------------------------------
+// Mock state
+// ---------------------------------------------------------------------------
+
+let mockPlatformClientCreate: () => Promise<Record<
+  string,
+  unknown
+> | null> = async () => null;
+
+let mockLoadRawConfig: () => Record<string, unknown> = () => ({});
+const mockSaveRawConfigCalls: Array<Record<string, unknown>> = [];
+const mockSetNestedValueCalls: Array<{
+  obj: Record<string, unknown>;
+  key: string;
+  value: unknown;
+}> = [];
+let mockGetNestedValue: (
+  obj: Record<string, unknown>,
+  key: string,
+) => unknown = () => undefined;
+
+// ---------------------------------------------------------------------------
+// Mocks — platform/client (controls requirePlatformConnection)
+// ---------------------------------------------------------------------------
+
+mock.module("../platform/client.js", () => ({
+  VellumPlatformClient: {
+    create: () => mockPlatformClientCreate(),
+  },
+}));
+
+// ---------------------------------------------------------------------------
+// Mocks — config/loader
+// ---------------------------------------------------------------------------
+
+mock.module("../config/loader.js", () => ({
+  getConfig: () => ({ services: {} }),
+  loadConfig: () => ({ services: {} }),
+  saveConfig: () => {},
+  invalidateConfigCache: () => {},
+  loadRawConfig: () => mockLoadRawConfig(),
+  saveRawConfig: (raw: Record<string, unknown>) => {
+    mockSaveRawConfigCalls.push(raw);
+  },
+  applyNestedDefaults: (c: unknown) => c,
+  deepMergeMissing: (a: unknown) => a,
+  deepMergeOverwrite: (a: unknown) => a,
+  mergeDefaultWorkspaceConfig: () => {},
+  getNestedValue: (obj: Record<string, unknown>, key: string) =>
+    mockGetNestedValue(obj, key),
+  setNestedValue: (obj: Record<string, unknown>, key: string, value: unknown) =>
+    mockSetNestedValueCalls.push({ obj, key, value }),
+  API_KEY_PROVIDERS: [
+    "anthropic",
+    "openai",
+    "gemini",
+    "ollama",
+    "fireworks",
+    "openrouter",
+    "brave",
+    "perplexity",
+  ],
+}));
+
+// ---------------------------------------------------------------------------
+// Mocks — util/logger (suppress log output)
+// ---------------------------------------------------------------------------
+
+mock.module("../util/logger.js", () => ({
+  getLogger: () => ({
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    debug: () => {},
+  }),
+  getCliLogger: () => ({
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    debug: () => {},
+  }),
+}));
+
+// ---------------------------------------------------------------------------
+// Mocks — oauth/oauth-store (transitive dep of oauth/shared.ts)
+// ---------------------------------------------------------------------------
+
+mock.module("../oauth/oauth-store.js", () => ({
+  disconnectOAuthProvider: async () => "not-found" as const,
+  getConnection: () => undefined,
+  getConnectionByProvider: () => undefined,
+  listConnections: () => [],
+  deleteConnection: () => false,
+  upsertApp: async () => ({}),
+  getApp: () => undefined,
+  getAppByProviderAndClientId: () => undefined,
+  getMostRecentAppByProvider: () => undefined,
+  listApps: () => [],
+  deleteApp: async () => false,
+  getProvider: () => undefined,
+  listProviders: () => [],
+  registerProvider: () => ({}),
+  updateProvider: () => undefined,
+  deleteProvider: () => false,
+  seedProviders: () => {},
+  getActiveConnection: () => undefined,
+  listActiveConnectionsByProvider: () => [],
+  createConnection: () => ({}),
+  isProviderConnected: () => false,
+  updateConnection: () => ({}),
+}));
+
+// ---------------------------------------------------------------------------
+// Import the module under test (after mocks are registered)
+// ---------------------------------------------------------------------------
+
+const { registerConfigCommand } = await import("../cli/commands/config.js");
+
+// ---------------------------------------------------------------------------
+// Test helper
+// ---------------------------------------------------------------------------
+
+async function runCli(
+  args: string[],
+): Promise<{ exitCode: number; stdout: string }> {
+  const originalStdoutWrite = process.stdout.write.bind(process.stdout);
+  const originalStderrWrite = process.stderr.write.bind(process.stderr);
+  const stdoutChunks: string[] = [];
+
+  process.stdout.write = ((chunk: unknown) => {
+    stdoutChunks.push(typeof chunk === "string" ? chunk : String(chunk));
+    return true;
+  }) as typeof process.stdout.write;
+
+  process.stderr.write = (() => true) as typeof process.stderr.write;
+
+  process.exitCode = 0;
+
+  try {
+    const program = new Command();
+    program.option("--json", "JSON output");
+    program.exitOverride();
+    program.configureOutput({
+      writeErr: () => {},
+      writeOut: (str: string) => stdoutChunks.push(str),
+    });
+    registerConfigCommand(program);
+    await program.parseAsync(args);
+  } catch {
+    if (process.exitCode === 0) process.exitCode = 1;
+  } finally {
+    process.stdout.write = originalStdoutWrite;
+    process.stderr.write = originalStderrWrite;
+  }
+
+  const exitCode = process.exitCode ?? 0;
+  process.exitCode = 0;
+
+  return {
+    exitCode,
+    stdout: stdoutChunks.join(""),
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("config set — platform connection guard for service mode paths", () => {
+  beforeEach(() => {
+    // Default: not connected to platform
+    mockPlatformClientCreate = async () => null;
+    mockLoadRawConfig = () => ({});
+    mockSaveRawConfigCalls.length = 0;
+    mockSetNestedValueCalls.length = 0;
+    mockGetNestedValue = () => undefined;
+  });
+
+  test("config set services.inference.mode managed — fails when not connected", async () => {
+    const { exitCode, stdout } = await runCli([
+      "node",
+      "assistant",
+      "--json",
+      "config",
+      "set",
+      "services.inference.mode",
+      "managed",
+    ]);
+
+    expect(exitCode).toBe(1);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(false);
+    expect(parsed.error).toContain("vellum platform connect");
+    expect(parsed.error).toContain("Not connected");
+    // Config should NOT have been written
+    expect(mockSaveRawConfigCalls).toHaveLength(0);
+    expect(mockSetNestedValueCalls).toHaveLength(0);
+  });
+
+  test("config set services.image-generation.mode your-own — succeeds without platform connection", async () => {
+    const { exitCode } = await runCli([
+      "node",
+      "assistant",
+      "--json",
+      "config",
+      "set",
+      "services.image-generation.mode",
+      "your-own",
+    ]);
+
+    expect(exitCode).toBe(0);
+    // Config should have been written — setting to "your-own" doesn't need platform
+    expect(mockSetNestedValueCalls).toHaveLength(1);
+    expect(mockSetNestedValueCalls[0]!.key).toBe(
+      "services.image-generation.mode",
+    );
+    expect(mockSetNestedValueCalls[0]!.value).toBe("your-own");
+    expect(mockSaveRawConfigCalls).toHaveLength(1);
+  });
+
+  test("config set calls.enabled true — succeeds without platform connection", async () => {
+    const { exitCode } = await runCli([
+      "node",
+      "assistant",
+      "config",
+      "set",
+      "calls.enabled",
+      "true",
+    ]);
+
+    expect(exitCode).toBe(0);
+    // Config should have been written
+    expect(mockSetNestedValueCalls).toHaveLength(1);
+    expect(mockSetNestedValueCalls[0]!.key).toBe("calls.enabled");
+    expect(mockSetNestedValueCalls[0]!.value).toBe(true);
+    expect(mockSaveRawConfigCalls).toHaveLength(1);
+  });
+
+  test("config get services.inference.mode — works without platform connection", async () => {
+    mockGetNestedValue = (_obj, key) => {
+      if (key === "services.inference.mode") return "your-own";
+      return undefined;
+    };
+
+    const { exitCode } = await runCli([
+      "node",
+      "assistant",
+      "config",
+      "get",
+      "services.inference.mode",
+    ]);
+
+    expect(exitCode).toBe(0);
+    // No writes should have occurred
+    expect(mockSaveRawConfigCalls).toHaveLength(0);
+    expect(mockSetNestedValueCalls).toHaveLength(0);
+  });
+
+  test("config set services.web-search.mode managed — fails when not connected", async () => {
+    const { exitCode, stdout } = await runCli([
+      "node",
+      "assistant",
+      "--json",
+      "config",
+      "set",
+      "services.web-search.mode",
+      "managed",
+    ]);
+
+    expect(exitCode).toBe(1);
+    const parsed = JSON.parse(stdout);
+    expect(parsed.ok).toBe(false);
+    expect(parsed.error).toContain("vellum platform connect");
+    expect(mockSaveRawConfigCalls).toHaveLength(0);
+  });
+
+  test("config set services.inference.mode managed — succeeds when connected", async () => {
+    mockPlatformClientCreate = async () => ({
+      platformAssistantId: "asst-123",
+      fetch: async () => new Response(),
+    });
+
+    const { exitCode } = await runCli([
+      "node",
+      "assistant",
+      "config",
+      "set",
+      "services.inference.mode",
+      "managed",
+    ]);
+
+    expect(exitCode).toBe(0);
+    expect(mockSetNestedValueCalls).toHaveLength(1);
+    expect(mockSetNestedValueCalls[0]!.key).toBe("services.inference.mode");
+    expect(mockSetNestedValueCalls[0]!.value).toBe("managed");
+    expect(mockSaveRawConfigCalls).toHaveLength(1);
+  });
+});

package/src/__tests__/confirmation-request-guardian-bridge.test.ts

@@ -8,7 +8,7 @@
  * 4. Missing guardian binding causes a skip
  */
 
-import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
+import { beforeEach, describe, expect, mock, test } from "bun:test";
 
 mock.module("../util/logger.js", () => ({
   getLogger: () =>
@@ -76,7 +76,7 @@ import {
   generateCanonicalRequestCode,
   listCanonicalGuardianDeliveries,
 } from "../memory/canonical-guardian-store.js";
-import { getDb, initializeDb, resetDb } from "../memory/db.js";
+import { getDb, initializeDb } from "../memory/db.js";
 import { bridgeConfirmationRequestToGuardian } from "../runtime/confirmation-request-guardian-bridge.js";
 
 initializeDb();
@@ -87,10 +87,6 @@ function resetTables(): void {
   db.run("DELETE FROM canonical_guardian_requests");
 }
 
-afterAll(() => {
-  resetDb();
-});
-
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------