@vellumai/assistant 0.5.4 → 0.5.5

package/src/__tests__/volume-security-guard.test.ts

@@ -0,0 +1,155 @@
+import { execFileSync } from "node:child_process";
+import { join } from "node:path";
+import { describe, expect, test } from "bun:test";
+
+/**
+ * Guard test: assistant source code must not directly access files in the
+ * `protected/` directory (`trust.json`, `keys.enc`, `store.key`,
+ * `actor-token-signing-key`). In containerized (Docker) mode these files
+ * live outside the assistant's data volume and are managed by the gateway.
+ *
+ * All access must go through the appropriate abstraction layer:
+ *  - Trust rules: trust-store.ts / trust-client.ts (file vs gateway backend)
+ *  - Credentials: encrypted-store.ts / ces-credential-client.ts
+ *  - Signing keys: secure-keys.ts / credential-backend.ts
+ *
+ * Only the abstraction-layer files themselves (and tests) are allowed to
+ * reference the raw file paths / helper functions.
+ */
+
+// ---------------------------------------------------------------------------
+// Allowed files — abstraction layers that legitimately access protected/ files
+// ---------------------------------------------------------------------------
+
+const ALLOWED_FILES = new Set([
+  // Trust store backends
+  "assistant/src/permissions/trust-store.ts",
+  "assistant/src/permissions/trust-client.ts",
+  "assistant/src/permissions/trust-store-interface.ts",
+  // Credential / encrypted store backends
+  "assistant/src/security/encrypted-store.ts",
+  "assistant/src/security/secure-keys.ts",
+  "assistant/src/security/credential-backend.ts",
+  "assistant/src/security/ces-credential-client.ts",
+  // Token service owns the signing key lifecycle
+  "assistant/src/runtime/auth/token-service.ts",
+  // CLI commands that run outside Docker (doctor diagnostics, trust management)
+  "assistant/src/cli/commands/doctor.ts",
+  "assistant/src/cli/commands/trust.ts",
+  // Auth middleware documentation comment (not a file access)
+  "assistant/src/runtime/auth/middleware.ts",
+]);
+
+// ---------------------------------------------------------------------------
+// Patterns that indicate direct access to protected directory files
+// ---------------------------------------------------------------------------
+
+/**
+ * Each entry is a `git grep -E` pattern and a human-readable description
+ * for the error message.
+ */
+const GUARDED_PATTERNS: Array<{ pattern: string; description: string }> = [
+  {
+    pattern: "protected/trust\\.json",
+    description: "direct reference to protected/trust.json",
+  },
+  {
+    pattern: "protected/keys\\.enc",
+    description: "direct reference to protected/keys.enc",
+  },
+  {
+    pattern: "protected/store\\.key",
+    description: "direct reference to protected/store.key",
+  },
+  {
+    pattern: "actor-token-signing-key",
+    description: "direct reference to actor-token-signing-key file",
+  },
+  {
+    pattern: "\\bgetTrustPath\\b",
+    description: "use of getTrustPath() (trust-store internal)",
+  },
+  {
+    pattern: "\\bgetStoreKeyPath\\b",
+    description: "use of getStoreKeyPath() (encrypted-store internal)",
+  },
+];
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function getRepoRoot(): string {
+  return join(process.cwd(), "..");
+}
+
+function isTestFile(filePath: string): boolean {
+  return (
+    filePath.includes("/__tests__/") ||
+    filePath.endsWith(".test.ts") ||
+    filePath.endsWith(".test.js") ||
+    filePath.endsWith(".spec.ts") ||
+    filePath.endsWith(".spec.js")
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("volume security: protected directory access guard", () => {
+  for (const { pattern, description } of GUARDED_PATTERNS) {
+    test(`no ${description} outside allowed files`, () => {
+      const repoRoot = getRepoRoot();
+
+      let grepOutput = "";
+      try {
+        grepOutput = execFileSync(
+          "git",
+          [
+            "grep",
+            "-lE",
+            pattern,
+            "--",
+            "assistant/src/**/*.ts",
+            "assistant/src/*.ts",
+          ],
+          { encoding: "utf-8", cwd: repoRoot },
+        ).trim();
+      } catch (err) {
+        // Exit code 1 means no matches — happy path
+        if ((err as { status?: number }).status === 1) {
+          return;
+        }
+        throw err;
+      }
+
+      const files = grepOutput.split("\n").filter((f) => f.length > 0);
+      const violations = files.filter(
+        (f) => !isTestFile(f) && !ALLOWED_FILES.has(f),
+      );
+
+      if (violations.length > 0) {
+        const message = [
+          `Found assistant source files with ${description}.`,
+          "",
+          "In containerized (Docker) mode, the protected/ directory is not",
+          "accessible to the assistant. All access to protected files must go",
+          "through the abstraction layers:",
+          "  - Trust rules: trust-store.ts / trust-client.ts",
+          "  - Credentials: encrypted-store.ts / ces-credential-client.ts",
+          "  - Signing keys: secure-keys.ts / credential-backend.ts",
+          "",
+          "If this file is a new abstraction backend, add it to ALLOWED_FILES",
+          "in this guard test. Otherwise, use the appropriate abstraction layer",
+          "or gate the access behind !getIsContainerized().",
+          "",
+          "Violations:",
+          ...violations.map((f) => `  - ${f}`),
+        ].join("\n");
+
+        expect(violations, message).toEqual([]);
+      }
+    });
+  }
+});

package/src/config/bundled-skills/messaging/tools/shared.ts

@@ -136,6 +136,7 @@ export async function getProviderConnection(
   provider: MessagingProvider,
   account?: string,
 ): Promise<OAuthConnection | string> {
+  if (provider.resolveConnection) return provider.resolveConnection(account);
   if (await provider.isConnected?.()) return "";
   return resolveOAuthConnection(provider.credentialService, { account });
 }

package/src/config/bundled-skills/transcribe/tools/transcribe-media.ts

@@ -10,6 +10,7 @@ import {
 import { tmpdir } from "node:os";
 import { extname, join } from "node:path";
 
+import { OpenAIWhisperProvider } from "../../../../providers/speech-to-text/openai-whisper.js";
 import { getProviderKeyAsync } from "../../../../security/secure-keys.js";
 import type {
   ToolContext,
@@ -168,12 +169,19 @@ async function transcribeViaApi(
   apiKey: string,
   context: ToolContext,
 ): Promise<string> {
+  const provider = new OpenAIWhisperProvider(apiKey);
   const duration = await getAudioDuration(audioPath);
   const fileSize = Bun.file(audioPath).size;
 
   // If small enough, send directly
   if (fileSize <= WHISPER_API_MAX_BYTES) {
-    return await whisperApiRequest(audioPath, apiKey);
+    const audioBuffer = await readFile(audioPath);
+    const result = await provider.transcribe(
+      audioBuffer,
+      "audio/wav",
+      AbortSignal.timeout(API_REQUEST_TIMEOUT_MS),
+    );
+    return result.text;
   }
 
   // Split into chunks for large files
@@ -199,8 +207,13 @@ async function transcribeViaApi(
     for (let i = 0; i < chunks.length; i++) {
       if (context.signal?.aborted) throw new Error("Cancelled");
       context.onOutput?.(`  Transcribing chunk ${i + 1}/${chunks.length}...\n`);
-      const text = await whisperApiRequest(chunks[i], apiKey);
-      if (text) parts.push(text);
+      const audioBuffer = await readFile(chunks[i]);
+      const result = await provider.transcribe(
+        audioBuffer,
+        "audio/wav",
+        AbortSignal.timeout(API_REQUEST_TIMEOUT_MS),
+      );
+      if (result.text) parts.push(result.text);
     }
 
     return parts.join(" ");
@@ -213,40 +226,6 @@ async function transcribeViaApi(
   }
 }
 
-async function whisperApiRequest(
-  audioPath: string,
-  apiKey: string,
-): Promise<string> {
-  const audioData = await readFile(audioPath);
-  const formData = new FormData();
-  formData.append(
-    "file",
-    new Blob([audioData], { type: "audio/wav" }),
-    "audio.wav",
-  );
-  formData.append("model", "whisper-1");
-
-  const response = await fetch(
-    "https://api.openai.com/v1/audio/transcriptions",
-    {
-      method: "POST",
-      headers: { Authorization: `Bearer ${apiKey}` },
-      body: formData,
-      signal: AbortSignal.timeout(API_REQUEST_TIMEOUT_MS),
-    },
-  );
-
-  if (!response.ok) {
-    const body = await response.text().catch(() => "");
-    throw new Error(
-      `Whisper API error (${response.status}): ${body.slice(0, 300)}`,
-    );
-  }
-
-  const result = (await response.json()) as { text?: string };
-  return result.text?.trim() ?? "";
-}
-
 // ---------------------------------------------------------------------------
 // Local mode - whisper.cpp
 // ---------------------------------------------------------------------------

package/src/config/env-registry.ts

@@ -54,6 +54,15 @@ export function getIsContainerized(): boolean {
   return flag("IS_CONTAINERIZED");
 }
 
+/**
+ * WORKSPACE_DIR — string, default: undefined
+ * When set, overrides the default workspace directory. Used in containerized
+ * deployments where the workspace is a separate volume.
+ */
+export function getWorkspaceDirOverride(): string | undefined {
+  return str("WORKSPACE_DIR");
+}
+
 // ── Known env var names ──────────────────────────────────────────────────────
 
 /**

package/src/config/feature-flag-registry.json

@@ -288,6 +288,14 @@
       "label": "Inline Skill Command Expansion",
       "description": "Enable secure inline skill command expansion via !`command` syntax, with version-pinned approval and sandboxed execution at skill load time",
       "defaultEnabled": true
+    },
+    {
+      "id": "channel-voice-transcription",
+      "scope": "assistant",
+      "key": "feature_flags.channel-voice-transcription.enabled",
+      "label": "Channel Voice Transcription",
+      "description": "Auto-transcribe voice/audio messages received from channels (Telegram, WhatsApp) before processing",
+      "defaultEnabled": true
     }
   ]
 }

package/src/credential-execution/managed-catalog.ts

@@ -11,8 +11,7 @@
 
 import { platformOAuthHandle } from "@vellumai/ces-contracts";
 
-import { getPlatformAssistantId } from "../config/env.js";
-import { resolveManagedProxyContext } from "../providers/managed-proxy/context.js";
+import { VellumPlatformClient } from "../platform/client.js";
 import { getLogger } from "../util/logger.js";
 
 const log = getLogger("managed-catalog");
@@ -79,25 +78,18 @@ export interface FetchManagedCatalogResult {
  * error message that never contains secret material.
  */
 export async function fetchManagedCatalog(): Promise<FetchManagedCatalogResult> {
-  const ctx = await resolveManagedProxyContext();
+  const client = await VellumPlatformClient.create();
 
-  if (!ctx.enabled) {
+  if (!client || !client.platformAssistantId) {
     return { ok: true, descriptors: [] };
   }
 
-  const assistantId = getPlatformAssistantId();
-  if (!assistantId) {
-    log.warn("PLATFORM_ASSISTANT_ID not set; cannot fetch managed catalog");
-    return { ok: true, descriptors: [] };
-  }
-
-  const url = `${ctx.platformBaseUrl}/v1/assistants/${encodeURIComponent(assistantId)}/oauth/managed/catalog/`;
+  const path = `/v1/assistants/${encodeURIComponent(client.platformAssistantId)}/oauth/managed/catalog/`;
 
   try {
-    const response = await fetch(url, {
+    const response = await client.fetch(path, {
       method: "GET",
       headers: {
-        Authorization: `Api-Key ${ctx.assistantApiKey}`,
         Accept: "application/json",
       },
     });
@@ -139,8 +131,6 @@ export async function fetchManagedCatalog(): Promise<FetchManagedCatalogResult>
     return { ok: true, descriptors };
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
-    // Ensure the error message does not leak secrets — strip any URL params
-    // that might contain tokens (defensive, since we use Api-Key header).
     const safeMessage = message.replace(
       /Api-Key\s+\S+/gi,
       "Api-Key [REDACTED]",

package/src/daemon/config-watcher.ts

@@ -12,6 +12,7 @@ import {
 } from "node:fs";
 import { join } from "node:path";
 
+import { getIsContainerized } from "../config/env-registry.js";
 import { getConfig, invalidateConfigCache } from "../config/loader.js";
 import { clearEmbeddingBackendCache } from "../memory/embedding-backend.js";
 import { clearCache as clearTrustCache } from "../permissions/trust-store.js";
@@ -209,7 +210,9 @@ export class ConfigWatcher {
       );
     }
 
-    this.startSignalsWatcher();
+    if (!getIsContainerized()) {
+      this.startSignalsWatcher();
+    }
     this.startSkillsWatchers(onConversationEvict);
   }
 

package/src/daemon/daemon-control.ts

@@ -11,6 +11,7 @@ import {
 import { join, resolve } from "node:path";
 
 import { getRuntimeHttpHost, getRuntimeHttpPort } from "../config/env.js";
+import { getIsContainerized } from "../config/env-registry.js";
 import { DaemonError } from "../util/errors.js";
 import { getLogger } from "../util/logger.js";
 import {
@@ -157,6 +158,7 @@ export async function isHttpHealthy(): Promise<boolean> {
 }
 
 function readPid(): number | null {
+  if (getIsContainerized()) return null; // Docker manages process lifecycle
   const pidPath = getPidPath();
   if (!existsSync(pidPath)) return null;
   try {
@@ -168,10 +170,12 @@ function readPid(): number | null {
 }
 
 export function writePid(pid: number): void {
+  if (getIsContainerized()) return; // Docker manages process lifecycle
   writeFileSync(getPidPath(), String(pid));
 }
 
 export function cleanupPidFile(): void {
+  if (getIsContainerized()) return; // Docker manages process lifecycle
   const pidPath = getPidPath();
   if (existsSync(pidPath)) {
     unlinkSync(pidPath);
@@ -181,6 +185,7 @@ export function cleanupPidFile(): void {
 /** Only remove the PID file if it belongs to the given process. Prevents a
  *  failing second startup from deleting the PID of an already-running daemon. */
 export function cleanupPidFileIfOwner(ownerPid: number): void {
+  if (getIsContainerized()) return; // Docker manages process lifecycle
   const currentPid = readPid();
   if (currentPid === ownerPid) {
     cleanupPidFile();
@@ -188,6 +193,7 @@ export function cleanupPidFileIfOwner(ownerPid: number): void {
 }
 
 export function isDaemonRunning(): boolean {
+  if (getIsContainerized()) return true; // Container orchestrator manages lifecycle
   const pid = readPid();
   if (pid == null) return false;
   if (!isProcessRunning(pid)) {
@@ -201,6 +207,7 @@ export async function getDaemonStatus(): Promise<{
   running: boolean;
   pid?: number;
 }> {
+  if (getIsContainerized()) return { running: true, pid: process.pid }; // Container orchestrator manages lifecycle
   const pid = readPid();
   if (pid == null) return { running: false };
   if (!isProcessRunning(pid)) {

package/src/daemon/lifecycle.ts

@@ -20,7 +20,7 @@ import { loadConfig } from "../config/loader.js";
 import { HeartbeatService } from "../heartbeat/heartbeat-service.js";
 import { getHookManager } from "../hooks/manager.js";
 import { installTemplates } from "../hooks/templates.js";
-import { closeSentry, initSentry } from "../instrument.js";
+import { closeSentry, initSentry, setSentryDeviceId } from "../instrument.js";
 import { disableLogfire, initLogfire } from "../logfire.js";
 import { getMcpServerManager } from "../mcp/manager.js";
 import * as attachmentsStore from "../memory/attachments-store.js";
@@ -65,6 +65,7 @@ import { RuntimeHttpServer } from "../runtime/http-server.js";
 import { startScheduler } from "../schedule/scheduler.js";
 import { seedCatalogSkillMemories } from "../skills/skill-memory.js";
 import { UsageTelemetryReporter } from "../telemetry/usage-telemetry-reporter.js";
+import { getDeviceId } from "../util/device-id.js";
 import { getLogger, initLogger } from "../util/logger.js";
 import {
   ensureDataDir,
@@ -179,6 +180,11 @@ export async function runDaemon(): Promise<void> {
     await runWorkspaceMigrations(getWorkspaceDir(), WORKSPACE_MIGRATIONS);
     log.info("Daemon startup: workspace migrations complete");
 
+    // Now that workspace migrations have run (including 003-seed-device-id
+    // which may copy the legacy installationId into device.json), it is safe
+    // to read the device ID and set the Sentry tag.
+    setSentryDeviceId(getDeviceId());
+
     // Purge private (temporary) conversations from the previous daemon run.
     // These are ephemeral by design and should not survive daemon restarts.
     const { count: purgedCount, deletedMemory } = purgePrivateConversations();

package/src/daemon/providers-setup.ts

@@ -5,7 +5,7 @@ import {
   setPlatformUserId,
 } from "../config/env.js";
 import type { AssistantConfig } from "../config/types.js";
-import { setSentryOrganizationId } from "../instrument.js";
+import { setSentryOrganizationId, setSentryUserId } from "../instrument.js";
 import { getMcpServerManager } from "../mcp/manager.js";
 import { gmailMessagingProvider } from "../messaging/providers/gmail/adapter.js";
 import { slackProvider as slackMessagingProvider } from "../messaging/providers/slack/adapter.js";
@@ -91,6 +91,7 @@ export async function initializeProvidersAndTools(
     const trimmed = persisted?.trim();
     if (trimmed) {
       setPlatformUserId(trimmed);
+      setSentryUserId(trimmed);
       log.info("Rehydrated platform user ID from credential store");
     }
   } catch (err) {

package/src/hooks/manager.ts

@@ -1,5 +1,6 @@
 import { type FSWatcher, watch } from "node:fs";
 
+import { getIsContainerized } from "../config/env-registry.js";
 import { Debouncer } from "../util/debounce.js";
 import { pathExists } from "../util/fs.js";
 import { getLogger } from "../util/logger.js";
@@ -32,6 +33,10 @@ export class HookManager {
   private readonly debouncer = new Debouncer(500);
 
   initialize(): void {
+    if (getIsContainerized()) {
+      log.info("Hooks disabled in containerized mode");
+      return;
+    }
     this.hooks = discoverHooks();
     this.buildEventIndex();
     const enabled = this.hooks.filter((h) => h.enabled).length;
@@ -107,6 +112,7 @@ export class HookManager {
   }
 
   reload(): void {
+    if (getIsContainerized()) return;
     this.hooks = discoverHooks();
     this.buildEventIndex();
     const enabled = this.hooks.filter((h) => h.enabled).length;
@@ -114,6 +120,7 @@ export class HookManager {
   }
 
   watch(): void {
+    if (getIsContainerized()) return;
     const hooksDir = getHooksDir();
     if (!pathExists(hooksDir)) return;
 

package/src/instrument.ts

@@ -2,7 +2,11 @@ import { arch, hostname, platform, release } from "node:os";
 
 import * as Sentry from "@sentry/node";
 
-import { getPlatformOrganizationId, getSentryDsn } from "./config/env.js";
+import {
+  getPlatformOrganizationId,
+  getPlatformUserId,
+  getSentryDsn,
+} from "./config/env.js";
 import { APP_VERSION, COMMIT_SHA } from "./version.js";
 
 /** Patterns that match sensitive data in Sentry event values. */
@@ -51,6 +55,7 @@ export function initSentry(): void {
     initialScope: {
       tags: {
         commit: COMMIT_SHA,
+        assistant_version: APP_VERSION,
         os_platform: platform(),
         os_release: release(),
         os_arch: arch(),
@@ -58,9 +63,14 @@ export function initSentry(): void {
         runtime: "bun",
         runtime_version:
           typeof Bun !== "undefined" ? Bun.version : process.version,
+        // NOTE: device_id is NOT set here. It is deferred to setSentryDeviceId()
+        // which is called after workspace migrations run, so that migration
+        // 003-seed-device-id can copy the legacy installationId into device.json
+        // before getDeviceId() eagerly creates a new random UUID.
         ...(getPlatformOrganizationId()
           ? { organization_id: getPlatformOrganizationId() }
           : {}),
+        ...(getPlatformUserId() ? { user_id: getPlatformUserId() } : {}),
       },
     },
     beforeSend(event) {
@@ -109,6 +119,28 @@ export function setSentryOrganizationId(
   Sentry.setTag("organization_id", organizationId || undefined);
 }
 
+/**
+ * Set (or clear) the user_id tag on the global Sentry scope.
+ *
+ * Called after the platform user ID is rehydrated from the credential
+ * store or updated at runtime so that every subsequent Sentry event
+ * includes the user context.
+ */
+export function setSentryUserId(userId: string | undefined): void {
+  Sentry.setTag("user_id", userId || undefined);
+}
+
+/**
+ * Set the device_id tag on the global Sentry scope.
+ *
+ * Called after workspace migrations complete so that migration
+ * 003-seed-device-id has a chance to copy the legacy installationId
+ * into device.json before getDeviceId() is invoked.
+ */
+export function setSentryDeviceId(deviceId: string): void {
+  Sentry.setTag("device_id", deviceId);
+}
+
 // ── Dynamic conversation-scoped Sentry tags ─────────────────────────
 //
 // These tags change per conversation turn and are set on the current

package/src/memory/embedding-local.ts

@@ -1,6 +1,7 @@
 import { existsSync, unlinkSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
 
+import { getIsContainerized } from "../config/env-registry.js";
 import { getLogger } from "../util/logger.js";
 import { getEmbeddingModelsDir, getRootDir } from "../util/platform.js";
 import { PromiseGuard } from "../util/promise-guard.js";
@@ -353,12 +354,17 @@ export class LocalEmbeddingBackend implements EmbeddingBackend {
 
   private static readonly PID_FILENAME = "embed-worker.pid";
 
+  /** PID files are process-local state — store in /tmp when containerized to keep shared volumes clean. */
+  private getPidFilePath(): string {
+    if (getIsContainerized()) {
+      return join("/tmp", LocalEmbeddingBackend.PID_FILENAME);
+    }
+    return join(getRootDir(), LocalEmbeddingBackend.PID_FILENAME);
+  }
+
   private writePidFile(pid: number): void {
     try {
-      writeFileSync(
-        join(getRootDir(), LocalEmbeddingBackend.PID_FILENAME),
-        String(pid),
-      );
+      writeFileSync(this.getPidFilePath(), String(pid));
     } catch {
       // Best-effort — doesn't affect functionality
     }
@@ -366,7 +372,7 @@ export class LocalEmbeddingBackend implements EmbeddingBackend {
 
   private removePidFile(): void {
     try {
-      unlinkSync(join(getRootDir(), LocalEmbeddingBackend.PID_FILENAME));
+      unlinkSync(this.getPidFilePath());
     } catch {
       // Best-effort
     }