npm - @vellumai/assistant - Versions diffs - 0.5.3 → 0.5.5 - Mend

@vellumai/assistant 0.5.3 → 0.5.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (111) hide show

package/Dockerfile +18 -27
package/docs/architecture/memory.md +105 -0
package/node_modules/@vellumai/ces-contracts/src/index.ts +1 -0
package/node_modules/@vellumai/ces-contracts/src/trust-rules.ts +42 -0
package/package.json +1 -1
package/src/__tests__/archive-recall.test.ts +560 -0
package/src/__tests__/conversation-clear-safety.test.ts +259 -0
package/src/__tests__/conversation-switch-memory-reduction.test.ts +474 -0
package/src/__tests__/credential-security-invariants.test.ts +2 -0
package/src/__tests__/db-schedule-syntax-migration.test.ts +3 -0
package/src/__tests__/memory-reducer-job.test.ts +538 -0
package/src/__tests__/memory-reducer-scheduling.test.ts +473 -0
package/src/__tests__/memory-reducer-types.test.ts +12 -4
package/src/__tests__/memory-reducer.test.ts +7 -1
package/src/__tests__/memory-regressions.test.ts +24 -4
package/src/__tests__/memory-simplified-config.test.ts +4 -4
package/src/__tests__/openai-whisper.test.ts +93 -0
package/src/__tests__/simplified-memory-e2e.test.ts +666 -0
package/src/__tests__/simplified-memory-runtime.test.ts +616 -0
package/src/__tests__/slack-messaging-token-resolution.test.ts +319 -0
package/src/__tests__/volume-security-guard.test.ts +155 -0
package/src/cli/commands/conversations.ts +18 -0
package/src/config/bundled-skills/messaging/tools/shared.ts +1 -0
package/src/config/bundled-skills/schedule/TOOLS.json +8 -0
package/src/config/bundled-skills/transcribe/tools/transcribe-media.ts +16 -37
package/src/config/env-registry.ts +9 -0
package/src/config/feature-flag-registry.json +8 -0
package/src/config/loader.ts +0 -1
package/src/config/schemas/memory-simplified.ts +1 -1
package/src/credential-execution/managed-catalog.ts +5 -15
package/src/daemon/config-watcher.ts +4 -1
package/src/daemon/conversation-memory.ts +117 -0
package/src/daemon/conversation-runtime-assembly.ts +1 -0
package/src/daemon/daemon-control.ts +7 -0
package/src/daemon/handlers/conversations.ts +11 -0
package/src/daemon/lifecycle.ts +51 -2
package/src/daemon/providers-setup.ts +2 -1
package/src/hooks/manager.ts +7 -0
package/src/instrument.ts +33 -1
package/src/memory/archive-recall.ts +516 -0
package/src/memory/brief-time.ts +5 -4
package/src/memory/conversation-crud.ts +210 -0
package/src/memory/conversation-key-store.ts +33 -4
package/src/memory/db-init.ts +4 -0
package/src/memory/embedding-local.ts +11 -5
package/src/memory/job-handlers/backfill-simplified-memory.ts +462 -0
package/src/memory/job-handlers/conversation-starters.ts +24 -30
package/src/memory/job-handlers/reduce-conversation-memory.ts +229 -0
package/src/memory/jobs-store.ts +2 -0
package/src/memory/jobs-worker.ts +8 -0
package/src/memory/migrations/036-normalize-phone-identities.ts +49 -14
package/src/memory/migrations/135-backfill-contact-interaction-stats.ts +9 -1
package/src/memory/migrations/141-rename-verification-table.ts +8 -0
package/src/memory/migrations/142-rename-verification-session-id-column.ts +7 -2
package/src/memory/migrations/174-rename-thread-starters-table.ts +8 -0
package/src/memory/migrations/188-schedule-quiet-flag.ts +13 -0
package/src/memory/migrations/index.ts +1 -0
package/src/memory/reducer-scheduler.ts +242 -0
package/src/memory/reducer-types.ts +9 -2
package/src/memory/reducer.ts +25 -11
package/src/memory/schema/infrastructure.ts +1 -0
package/src/messaging/provider.ts +9 -0
package/src/messaging/providers/slack/adapter.ts +29 -2
package/src/oauth/connection-resolver.test.ts +22 -18
package/src/oauth/connection-resolver.ts +92 -7
package/src/oauth/platform-connection.test.ts +78 -69
package/src/oauth/platform-connection.ts +12 -19
package/src/permissions/trust-client.ts +343 -0
package/src/permissions/trust-store-interface.ts +105 -0
package/src/permissions/trust-store.ts +523 -36
package/src/platform/client.test.ts +148 -0
package/src/platform/client.ts +71 -0
package/src/providers/speech-to-text/openai-whisper.test.ts +190 -0
package/src/providers/speech-to-text/openai-whisper.ts +68 -0
package/src/providers/speech-to-text/resolve.ts +9 -0
package/src/providers/speech-to-text/types.ts +17 -0
package/src/runtime/auth/route-policy.ts +10 -1
package/src/runtime/http-server.ts +2 -2
package/src/runtime/routes/conversation-management-routes.ts +88 -2
package/src/runtime/routes/guardian-bootstrap-routes.ts +19 -7
package/src/runtime/routes/inbound-message-handler.ts +27 -3
package/src/runtime/routes/inbound-stages/acl-enforcement.ts +16 -1
package/src/runtime/routes/inbound-stages/transcribe-audio.test.ts +287 -0
package/src/runtime/routes/inbound-stages/transcribe-audio.ts +122 -0
package/src/runtime/routes/log-export-routes.ts +1 -0
package/src/runtime/routes/secret-routes.ts +5 -1
package/src/schedule/schedule-store.ts +7 -0
package/src/schedule/scheduler.ts +6 -2
package/src/security/ces-credential-client.ts +173 -0
package/src/security/secure-keys.ts +65 -22
package/src/signals/bash.ts +3 -0
package/src/signals/cancel.ts +3 -0
package/src/signals/confirm.ts +3 -0
package/src/signals/conversation-undo.ts +3 -0
package/src/signals/event-stream.ts +7 -0
package/src/signals/shotgun.ts +3 -0
package/src/signals/trust-rule.ts +3 -0
package/src/telemetry/usage-telemetry-reporter.test.ts +23 -36
package/src/telemetry/usage-telemetry-reporter.ts +22 -20
package/src/tools/filesystem/edit.ts +6 -1
package/src/tools/filesystem/read.ts +6 -1
package/src/tools/filesystem/write.ts +6 -1
package/src/tools/memory/handlers.ts +129 -1
package/src/tools/schedule/create.ts +3 -0
package/src/tools/schedule/list.ts +5 -1
package/src/tools/schedule/update.ts +6 -0
package/src/util/device-id.ts +70 -7
package/src/util/logger.ts +35 -9
package/src/util/platform.ts +29 -5
package/src/workspace/migrations/migrate-to-workspace-volume.ts +113 -0
package/src/workspace/migrations/registry.ts +2 -0

package/src/__tests__/conversation-clear-safety.test.ts ADDED Viewed

@@ -0,0 +1,259 @@
+/**
+ * Safety tests for DELETE /v1/conversations (clear all conversations).
+ *
+ * Covers:
+ * - Route policy requires `settings.write` scope (not just `chat.write`)
+ * - Missing X-Confirm-Destructive header returns 400 with explanatory message
+ * - Wrong header value returns 400
+ * - Correct scope + header clears data and returns 204
+ * - lifecycle_events contains `conversations_clear_all` audit entry after clear
+ */
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterAll, describe, expect, mock, test } from "bun:test";
+const testDir = mkdtempSync(join(tmpdir(), "conv-clear-safety-test-"));
+mock.module("../util/platform.js", () => ({
+  getRootDir: () => testDir,
+  getDataDir: () => testDir,
+  isMacOS: () => process.platform === "darwin",
+  isLinux: () => process.platform === "linux",
+  isWindows: () => process.platform === "win32",
+  getPidPath: () => join(testDir, "test.pid"),
+  getDbPath: () => join(testDir, "test.db"),
+  getLogPath: () => join(testDir, "test.log"),
+  ensureDataDir: () => {},
+}));
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+}));
+// Auth is NOT disabled — we need enforcePolicy to actually check scopes.
+let authDisabled = false;
+mock.module("../config/env.js", () => ({
+  isHttpAuthDisabled: () => authDisabled,
+  hasUngatedHttpAuthDisabled: () => false,
+}));
+import {
+  addMessage,
+  clearAll,
+  createConversation,
+  getConversation,
+} from "../memory/conversation-crud.js";
+import { getDb, initializeDb, resetDb } from "../memory/db.js";
+import { enforcePolicy, getPolicy } from "../runtime/auth/route-policy.js";
+import type { AuthContext, Scope } from "../runtime/auth/types.js";
+import { conversationManagementRouteDefinitions } from "../runtime/routes/conversation-management-routes.js";
+initializeDb();
+afterAll(() => {
+  resetDb();
+  try {
+    rmSync(testDir, { recursive: true });
+  } catch {
+    /* best effort */
+  }
+});
+/** Build a synthetic AuthContext for testing. */
+function buildAuthContext(overrides?: {
+  principalType?: AuthContext["principalType"];
+  scopes?: Scope[];
+}): AuthContext {
+  return {
+    subject: "actor:self:test-principal",
+    principalType: overrides?.principalType ?? "actor",
+    assistantId: "self",
+    actorPrincipalId: "test-principal",
+    scopeProfile: "actor_client_v1",
+    scopes: new Set(
+      overrides?.scopes ?? [
+        "chat.read",
+        "chat.write",
+        "approval.read",
+        "approval.write",
+      ],
+    ),
+    policyEpoch: 1,
+  };
+}
+// ---------------------------------------------------------------------------
+// Route policy tests (scope check — enforcePolicy level)
+// ---------------------------------------------------------------------------
+describe("DELETE /v1/conversations — route policy", () => {
+  test("conversations/clear-all requires settings.write scope", () => {
+    authDisabled = false;
+    const policy = getPolicy("conversations/clear-all");
+    expect(policy).toBeDefined();
+    expect(policy!.requiredScopes).toContain("settings.write");
+  });
+  test("chat.write-only token is rejected with 403 for clear-all", () => {
+    authDisabled = false;
+    const ctx = buildAuthContext({
+      scopes: ["chat.read", "chat.write"],
+    });
+    const result = enforcePolicy("conversations/clear-all", ctx);
+    expect(result).not.toBeNull();
+    expect(result!.status).toBe(403);
+  });
+  test("settings.write token is allowed through clear-all policy", () => {
+    authDisabled = false;
+    const ctx = buildAuthContext({
+      scopes: ["settings.write"],
+    });
+    const result = enforcePolicy("conversations/clear-all", ctx);
+    expect(result).toBeNull();
+  });
+  test("single-conversation DELETE (conversations:DELETE) only requires chat.write", () => {
+    authDisabled = false;
+    const policy = getPolicy("conversations:DELETE");
+    expect(policy).toBeDefined();
+    expect(policy!.requiredScopes).toContain("chat.write");
+    expect(policy!.requiredScopes).not.toContain("settings.write");
+    // A chat.write token should pass the single-conversation delete policy
+    const ctx = buildAuthContext({
+      scopes: ["chat.read", "chat.write"],
+    });
+    const result = enforcePolicy("conversations:DELETE", ctx);
+    expect(result).toBeNull();
+  });
+});
+// ---------------------------------------------------------------------------
+// Route handler tests (header check + happy path)
+// ---------------------------------------------------------------------------
+describe("DELETE /v1/conversations — route handler", () => {
+  /** Get the DELETE conversations handler from the route definitions. */
+  function getDeleteHandler() {
+    let clearCalled = false;
+    const routes = conversationManagementRouteDefinitions({
+      switchConversation: async () => null,
+      renameConversation: () => true,
+      clearAllConversations: () => {
+        clearCalled = true;
+        return clearAll().conversations;
+      },
+      cancelGeneration: () => true,
+      destroyConversation: () => {},
+      undoLastMessage: async () => null,
+      regenerateResponse: async () => null,
+    });
+    const deleteRoute = routes.find(
+      (r) => r.endpoint === "conversations" && r.method === "DELETE",
+    );
+    if (!deleteRoute) throw new Error("DELETE conversations route not found");
+    return { handler: deleteRoute.handler, wasClearCalled: () => clearCalled };
+  }
+  test("missing X-Confirm-Destructive header returns 400 with explanatory message", async () => {
+    const { handler } = getDeleteHandler();
+    const req = new Request("http://localhost/v1/conversations", {
+      method: "DELETE",
+    });
+    const response = await handler({
+      req,
+      url: new URL(req.url),
+      server: {} as never,
+      authContext: buildAuthContext({ scopes: ["settings.write"] }),
+      params: {},
+    });
+    expect(response.status).toBe(400);
+    const body = (await response.json()) as {
+      error: { code: string; message: string };
+    };
+    expect(body.error.code).toBe("BAD_REQUEST");
+    expect(body.error.message).toContain("X-Confirm-Destructive");
+    expect(body.error.message).toContain("clear-all-conversations");
+  });
+  test("wrong X-Confirm-Destructive header value returns 400", async () => {
+    const { handler } = getDeleteHandler();
+    const req = new Request("http://localhost/v1/conversations", {
+      method: "DELETE",
+      headers: { "X-Confirm-Destructive": "wrong-value" },
+    });
+    const response = await handler({
+      req,
+      url: new URL(req.url),
+      server: {} as never,
+      authContext: buildAuthContext({ scopes: ["settings.write"] }),
+      params: {},
+    });
+    expect(response.status).toBe(400);
+    const body = (await response.json()) as {
+      error: { code: string; message: string };
+    };
+    expect(body.error.code).toBe("BAD_REQUEST");
+  });
+  test("correct scope + header clears data and returns 204", async () => {
+    // Seed a conversation so we can verify it gets cleared
+    const conv = createConversation("safety-test-conv");
+    await addMessage(conv.id, "user", "hello from safety test");
+    expect(getConversation(conv.id)).not.toBeNull();
+    const { handler, wasClearCalled } = getDeleteHandler();
+    const req = new Request("http://localhost/v1/conversations", {
+      method: "DELETE",
+      headers: { "X-Confirm-Destructive": "clear-all-conversations" },
+    });
+    const response = await handler({
+      req,
+      url: new URL(req.url),
+      server: {} as never,
+      authContext: buildAuthContext({ scopes: ["settings.write"] }),
+      params: {},
+    });
+    expect(response.status).toBe(204);
+    expect(wasClearCalled()).toBe(true);
+    // Conversation should be gone
+    expect(getConversation(conv.id)).toBeNull();
+  });
+  test("lifecycle_events contains conversations_clear_all after successful clear", async () => {
+    const { handler } = getDeleteHandler();
+    const req = new Request("http://localhost/v1/conversations", {
+      method: "DELETE",
+      headers: { "X-Confirm-Destructive": "clear-all-conversations" },
+    });
+    await handler({
+      req,
+      url: new URL(req.url),
+      server: {} as never,
+      authContext: buildAuthContext({ scopes: ["settings.write"] }),
+      params: {},
+    });
+    // Query lifecycle_events table directly
+    const raw = (
+      getDb() as unknown as {
+        $client: import("bun:sqlite").Database;
+      }
+    ).$client;
+    const rows = raw
+      .query(
+        "SELECT event_name FROM lifecycle_events WHERE event_name = 'conversations_clear_all'",
+      )
+      .all() as Array<{ event_name: string }>;
+    expect(rows.length).toBeGreaterThanOrEqual(1);
+    expect(rows[0].event_name).toBe("conversations_clear_all");
+  });
+});