@vellumai/assistant 0.5.2 → 0.5.3

package/src/tasks/task-store.ts

@@ -1,4 +1,4 @@
-import { desc, eq, inArray } from "drizzle-orm";
+import { asc, desc, eq, inArray, or } from "drizzle-orm";
 
 import { getDb } from "../memory/db.js";
 import { taskRuns, tasks, workItems } from "../memory/schema.js";
@@ -139,3 +139,45 @@ export function getTaskRun(id: string): TaskRun | undefined {
   const db = getDb();
   return db.select().from(taskRuns).where(eq(taskRuns.id, id)).get();
 }
+
+// ── Brief Helpers ─────────────────────────────────────────────────────
+
+/**
+ * Lightweight read-only projection of a work item used by the brief compiler.
+ * Avoids pulling the full WorkItem type with all its tool/approval fields.
+ */
+export interface ActionableWorkItem {
+  id: string;
+  taskId: string;
+  title: string;
+  status: string;
+  priorityTier: number;
+  updatedAt: number;
+}
+
+/**
+ * Return actionable work items — those that are queued, running, or
+ * awaiting review. Ordered by priority (high first) then most-recently-updated.
+ */
+export function getActionableWorkItems(): ActionableWorkItem[] {
+  const db = getDb();
+  return db
+    .select({
+      id: workItems.id,
+      taskId: workItems.taskId,
+      title: workItems.title,
+      status: workItems.status,
+      priorityTier: workItems.priorityTier,
+      updatedAt: workItems.updatedAt,
+    })
+    .from(workItems)
+    .where(
+      or(
+        eq(workItems.status, "queued"),
+        eq(workItems.status, "running"),
+        eq(workItems.status, "awaiting_review"),
+      ),
+    )
+    .orderBy(asc(workItems.priorityTier), desc(workItems.updatedAt))
+    .all();
+}

package/src/tools/permission-checker.ts

@@ -142,10 +142,17 @@ export class PermissionChecker {
         // is the owner - prompting makes no sense when there is no client.
         // Exception: requireFreshApproval tools cannot be auto-approved -
         // without a human present, bundle installation must be denied.
+        // Exception: inline-command skill loads (skill_load_dynamic:*) must
+        // never be silently auto-approved — they execute embedded commands
+        // and require explicit human review or a pinned trust rule.
+        const isDynamicSkillLoad =
+          result.matchedRule?.pattern.startsWith("skill_load_dynamic:") ===
+          true;
         if (
           context.isInteractive === false &&
           context.trustClass === "guardian" &&
-          !context.requireFreshApproval
+          !context.requireFreshApproval &&
+          !isDynamicSkillLoad
         ) {
           log.info(
             { toolName: name, riskLevel },

package/src/tools/skills/load.ts

@@ -21,12 +21,24 @@ import {
   indexCatalogById,
   validateIncludes,
 } from "../../skills/include-graph.js";
+import { renderInlineCommands } from "../../skills/inline-command-render.js";
 import { parseToolManifestFile } from "../../skills/tool-manifest.js";
 import { computeSkillVersionHash } from "../../skills/version-hash.js";
 import { getLogger } from "../../util/logger.js";
+import { getWorkspaceDirDisplay } from "../../util/platform.js";
 import { registerTool } from "../registry.js";
 import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
 
+/** Canonical feature flag key for inline skill command expansion. */
+const INLINE_COMMANDS_FLAG_KEY = "feature_flags.inline-skill-commands.enabled";
+
+/** Skill sources eligible for inline command expansion in v1. */
+const INLINE_COMMAND_ELIGIBLE_SOURCES = new Set([
+  "bundled",
+  "managed",
+  "workspace",
+]);
+
 const log = getLogger("skill-load");
 
 /**
@@ -76,7 +88,9 @@ function formatToolSchemas(
 
   for (const tool of manifest.tools) {
     lines.push(`${toolHeadingLevel} ${tool.name}`);
-    lines.push(tool.description);
+    lines.push(
+      tool.description.replaceAll("{workspaceDir}", getWorkspaceDirDisplay()),
+    );
 
     const schema = tool.input_schema;
     const properties = schema.properties as
@@ -96,7 +110,7 @@ function formatToolSchemas(
           : "optional";
         const descPart =
           typeof paramDef.description === "string"
-            ? `: ${paramDef.description}`
+            ? `: ${paramDef.description.replaceAll("{workspaceDir}", getWorkspaceDirDisplay())}`
             : "";
         lines.push(
           `- ${paramName} (${paramType}, ${requiredLabel})${descPart}`,
@@ -113,7 +127,7 @@ function formatToolSchemas(
 export class SkillLoadTool implements Tool {
   name = "skill_load";
   description =
-    "Load full instructions for a skill. Works for both bundled skills (listed in the catalog) and workspace skills in ~/.vellum/workspace/skills.";
+    "Load full instructions for a skill. Works for both bundled skills (listed in the catalog) and custom workspace skills.";
   category = "skills";
   defaultRiskLevel = RiskLevel.Low;
 
@@ -136,7 +150,7 @@ export class SkillLoadTool implements Tool {
 
   async execute(
     input: Record<string, unknown>,
-    _context: ToolContext,
+    context: ToolContext,
   ): Promise<ToolExecutionResult> {
     const selector = input.skill;
     if (typeof selector !== "string" || selector.trim().length === 0) {
@@ -279,7 +293,63 @@ export class SkillLoadTool implements Tool {
       }
     }
 
-    const body = skill.body.length > 0 ? skill.body : "(No body content)";
+    let body = skill.body.length > 0 ? skill.body : "(No body content)";
+
+    // ── Inline command expansion ──────────────────────────────────────────
+    const hasInlineCommands =
+      skill.inlineCommandExpansions && skill.inlineCommandExpansions.length > 0;
+
+    if (hasInlineCommands) {
+      const inlineFlagEnabled = isAssistantFeatureFlagEnabled(
+        INLINE_COMMANDS_FLAG_KEY,
+        config,
+      );
+
+      if (!inlineFlagEnabled) {
+        // Feature flag is off: fail closed instead of leaving live tokens in
+        // the prompt that the LLM might try to interpret.
+        return {
+          content: `Error: skill "${skill.id}" contains inline command expansions but the inline-skill-commands feature flag is disabled. Enable the flag to use this skill.`,
+          isError: true,
+        };
+      }
+
+      if (skill.source === "extra") {
+        // Third-party extra roots are out of scope for inline command
+        // expansion in v1. Reject explicitly so the failure is clear.
+        return {
+          content: `Error: skill "${skill.id}" contains inline command expansions but inline commands are not supported for third-party (extra) skill sources.`,
+          isError: true,
+        };
+      }
+
+      if (!INLINE_COMMAND_ELIGIBLE_SOURCES.has(skill.source)) {
+        // Defensive: reject any other unknown sources that somehow have
+        // inline commands. Should not happen with current SkillSource values,
+        // but fail closed if a new source type is added without updating this.
+        return {
+          content: `Error: skill "${skill.id}" contains inline command expansions but source "${skill.source}" is not eligible for inline command expansion.`,
+          isError: true,
+        };
+      }
+
+      // Render inline commands by executing each through the sandbox runner
+      const renderResult = await renderInlineCommands(
+        body,
+        skill.inlineCommandExpansions!,
+        context.workingDir,
+      );
+      body = renderResult.renderedBody;
+
+      log.info(
+        {
+          skillId: skill.id,
+          expandedCount: renderResult.expandedCount,
+          failedCount: renderResult.failedCount,
+        },
+        "Rendered inline command expansions",
+      );
+    }
 
     // Build reference file listing (if any)
     const referenceListing = listReferenceFiles(skill.directoryPath);
@@ -313,8 +383,72 @@ export class SkillLoadTool implements Tool {
         // Load the included skill's body content
         const childLoaded = loadSkillBySelector(childId);
         if (childLoaded.skill && childLoaded.skill.body.length > 0) {
+          let childBody = childLoaded.skill.body;
+
+          // ── Inline command expansion for included child skill ─────────
+          const childHasInlineCommands =
+            childLoaded.skill.inlineCommandExpansions &&
+            childLoaded.skill.inlineCommandExpansions.length > 0;
+
+          if (childHasInlineCommands) {
+            const childInlineFlagEnabled = isAssistantFeatureFlagEnabled(
+              INLINE_COMMANDS_FLAG_KEY,
+              config,
+            );
+
+            // Fail closed: if the flag is off, reject the entire skill_load
+            // just like we do for root skills. Leaving raw !`...` tokens in
+            // the prompt would violate the documented fail-closed contract.
+            if (!childInlineFlagEnabled) {
+              return {
+                content: `Error: included skill "${childId}" contains inline command expansions but the inline-skill-commands feature flag is disabled. Enable the flag to use skill "${skill.id}".`,
+                isError: true,
+              };
+            }
+
+            if (childLoaded.skill.source === "extra") {
+              return {
+                content: `Error: included skill "${childId}" contains inline command expansions but inline commands are not supported for third-party (extra) skill sources.`,
+                isError: true,
+              };
+            }
+
+            if (
+              !INLINE_COMMAND_ELIGIBLE_SOURCES.has(childLoaded.skill.source)
+            ) {
+              return {
+                content: `Error: included skill "${childId}" contains inline command expansions but source "${childLoaded.skill.source}" is not eligible for inline command expansion.`,
+                isError: true,
+              };
+            }
+
+            try {
+              const childRenderResult = await renderInlineCommands(
+                childBody,
+                childLoaded.skill.inlineCommandExpansions!,
+                context.workingDir,
+              );
+              childBody = childRenderResult.renderedBody;
+
+              log.info(
+                {
+                  skillId: childId,
+                  parentSkillId: skill.id,
+                  expandedCount: childRenderResult.expandedCount,
+                  failedCount: childRenderResult.failedCount,
+                },
+                "Rendered inline command expansions for included skill",
+              );
+            } catch (err) {
+              log.warn(
+                { err, skillId: childId, parentSkillId: skill.id },
+                "Failed to render inline commands for included skill, using raw body",
+              );
+            }
+          }
+
           includedBodies.push(
-            `--- Included Skill: ${childLoaded.skill.displayName} (${childId}) ---\n${childLoaded.skill.body}`,
+            `--- Included Skill: ${childLoaded.skill.displayName} (${childId}) ---\n${childBody}`,
           );
 
           // List reference files for the included skill

package/src/util/platform.ts

@@ -366,6 +366,24 @@ export function getWorkspaceDir(): string {
   return join(getRootDir(), "workspace");
 }
 
+/**
+ * Returns a display-friendly workspace path for embedding in agent-facing text
+ * (skill bodies, tool descriptions). Replaces the home directory prefix with `~`
+ * so paths stay concise and portable across machines.
+ *
+ * Examples:
+ *   /Users/sidd/.vellum/workspace → ~/.vellum/workspace
+ *   /data/.vellum/workspace       → /data/.vellum/workspace
+ */
+export function getWorkspaceDirDisplay(): string {
+  const abs = getWorkspaceDir();
+  const home = homedir();
+  if (abs.startsWith(home + "/") || abs === home) {
+    return "~" + abs.slice(home.length);
+  }
+  return abs;
+}
+
 /** Returns ~/.vellum/workspace/config.json */
 export function getWorkspaceConfigPath(): string {
   return join(getWorkspaceDir(), "config.json");

package/src/workspace/migrations/{002-backfill-installation-id.ts → 011-backfill-installation-id.ts}

@@ -11,7 +11,7 @@ import { getExternalAssistantId } from "../../runtime/auth/external-assistant-id
 import type { WorkspaceMigration } from "./types.js";
 
 export const backfillInstallationIdMigration: WorkspaceMigration = {
-  id: "002-backfill-installation-id",
+  id: "011-backfill-installation-id",
   description:
     "Backfill installationId into lockfile from SQLite checkpoint and clean up stale row",
   run(_workspaceDir: string): void {

package/src/workspace/migrations/registry.ts

@@ -1,5 +1,4 @@
 import { avatarRenameMigration } from "./001-avatar-rename.js";
-import { backfillInstallationIdMigration } from "./002-backfill-installation-id.js";
 import { seedDeviceIdMigration } from "./003-seed-device-id.js";
 import { extractCollectUsageDataMigration } from "./004-extract-collect-usage-data.js";
 import { addSendDiagnosticsMigration } from "./005-add-send-diagnostics.js";
@@ -8,6 +7,7 @@ import { webSearchProviderRenameMigration } from "./007-web-search-provider-rena
 import { voiceTimeoutAndMaxStepsMigration } from "./008-voice-timeout-and-max-steps.js";
 import { backfillConversationDiskViewMigration } from "./009-backfill-conversation-disk-view.js";
 import { appDirRenameMigration } from "./010-app-dir-rename.js";
+import { backfillInstallationIdMigration } from "./011-backfill-installation-id.js";
 import { renameConversationDiskViewDirsMigration } from "./012-rename-conversation-disk-view-dirs.js";
 import { repairConversationDiskViewMigration } from "./013-repair-conversation-disk-view.js";
 import type { WorkspaceMigration } from "./types.js";