@vellumai/assistant 0.5.5 → 0.5.6

package/src/schedule/schedule-store.ts

@@ -206,27 +206,6 @@ export function listSchedules(options?: {
   return rows.map(parseJobRow);
 }
 
-/**
- * Return enabled schedules whose next run falls within a time window.
- * Used by the memory brief compiler to surface due-soon schedule entries.
- */
-export function getDueSoonSchedules(
-  now: number,
-  horizonMs: number,
-): ScheduleJob[] {
-  const db = getDb();
-  const cutoff = now + horizonMs;
-  const rows = db
-    .select()
-    .from(scheduleJobs)
-    .where(
-      and(eq(scheduleJobs.enabled, true), lte(scheduleJobs.nextRunAt, cutoff)),
-    )
-    .orderBy(asc(scheduleJobs.nextRunAt))
-    .all();
-  return rows.map(parseJobRow);
-}
-
 export function updateSchedule(
   id: string,
   updates: {

package/src/skills/inline-command-render.ts

@@ -14,6 +14,7 @@
  */
 
 import { getLogger } from "../util/logger.js";
+import { escapeXmlContent } from "../util/xml.js";
 import type { InlineCommandExpansion } from "./inline-command-expansions.js";
 import type { InlineCommandResult } from "./inline-command-runner.js";
 import { runInlineCommand } from "./inline-command-runner.js";
@@ -91,7 +92,10 @@ export async function renderInlineCommands(
 
     let replacement: string;
     if (commandResult.ok) {
-      replacement = wrapInXml(expansion.placeholderId, commandResult.output);
+      replacement = wrapInXml(
+        expansion.placeholderId,
+        escapeXmlContent(commandResult.output),
+      );
       expandedCount++;
     } else {
       const stub = failureReasonToStub(commandResult);

package/src/skills/inline-command-runner.ts

@@ -37,6 +37,15 @@ const DEFAULT_TIMEOUT_MS = 10_000;
 /** Maximum output characters before truncation. */
 const MAX_OUTPUT_CHARS = 20_000;
 
+/**
+ * Maximum bytes to buffer from stdout during streaming. Once this limit is
+ * reached we stop accepting data so a long-running command (e.g. `yes`) cannot
+ * grow memory unbounded before the timeout fires. Set generously above
+ * MAX_OUTPUT_CHARS to account for multi-byte UTF-8 and ANSI sequences that will
+ * be stripped before the character-level clamp.
+ */
+const MAX_STDOUT_BUFFER_BYTES = MAX_OUTPUT_CHARS * 4;
+
 /**
  * ANSI escape sequence pattern (covers SGR, cursor movement, erase, etc.).
  * Matches: ESC[ ... final_byte  and  ESC] ... ST  (OSC sequences).
@@ -115,7 +124,9 @@ export async function runInlineCommand(
 
   return new Promise<InlineCommandResult>((resolve) => {
     let timedOut = false;
+    let stdoutCapped = false;
     const stdoutChunks: Buffer[] = [];
+    let stdoutBytes = 0;
 
     let child: ReturnType<typeof spawn>;
     try {
@@ -140,7 +151,19 @@ export async function runInlineCommand(
       child.kill("SIGKILL");
     }, timeoutMs);
 
-    child.stdout!.on("data", (data: Buffer) => stdoutChunks.push(data));
+    child.stdout!.on("data", (data: Buffer) => {
+      if (stdoutBytes >= MAX_STDOUT_BUFFER_BYTES) return;
+      stdoutChunks.push(data);
+      stdoutBytes += data.length;
+      if (stdoutBytes >= MAX_STDOUT_BUFFER_BYTES) {
+        // Stop reading to release backpressure on the child process.
+        // This destroys the read end of the pipe, which may cause the
+        // child to receive SIGPIPE and exit with code=null. The
+        // stdoutCapped flag lets the close handler treat this as success.
+        stdoutCapped = true;
+        child.stdout!.destroy();
+      }
+    });
 
     child.on("close", (code) => {
       clearTimeout(timer);
@@ -157,7 +180,12 @@ export async function runInlineCommand(
       }
 
       // ── Non-zero exit ────────────────────────────────────────────────
-      if (code !== 0) {
+      // When stdout was capped we destroyed the read end of the pipe,
+      // which typically causes SIGPIPE — the process is killed by the
+      // signal so the exit code is null. Only suppress the error in that
+      // specific case; a command that outputs a lot but exits with a
+      // genuine non-zero code (e.g. exit 1) should still be an error.
+      if (code !== 0 && !(stdoutCapped && code == null)) {
         log.debug(
           { command, exitCode: code },
           "Inline command exited with non-zero code",

package/src/tools/memory/handlers.ts

@@ -2,8 +2,6 @@ import { and, eq, ne } from "drizzle-orm";
 import { v4 as uuid } from "uuid";
 
 import type { AssistantConfig } from "../../config/types.js";
-import { buildArchiveRecall } from "../../memory/archive-recall.js";
-import { insertObservation } from "../../memory/archive-store.js";
 import { getDb } from "../../memory/db.js";
 import { computeMemoryFingerprint } from "../../memory/fingerprint.js";
 import { enqueueMemoryJob } from "../../memory/jobs-store.js";
@@ -20,7 +18,7 @@ const log = getLogger("memory-tools");
 
 export async function handleMemorySave(
   args: Record<string, unknown>,
-  config: AssistantConfig,
+  _config: AssistantConfig,
   conversationId: string,
   messageId: string | undefined,
   scopeId: string = "default",
@@ -65,19 +63,6 @@ export async function handleMemorySave(
       ? truncate(args.subject.trim(), 80, "")
       : inferSubjectFromStatement(statement.trim());
 
-  // When simplified memory is enabled, save directly to the simplified
-  // observation/chunk tables instead of the legacy memory_items table.
-  if (config.memory.simplified.enabled) {
-    return handleSimplifiedMemorySave(
-      kind,
-      subject,
-      statement.trim(),
-      conversationId,
-      messageId,
-      scopeId,
-    );
-  }
-
   try {
     const db = getDb();
     const id = uuid();
@@ -290,12 +275,6 @@ export async function handleMemoryRecall(
       ? args.scope.trim()
       : "default";
 
-  // When simplified memory is enabled, use the archive recall path
-  // instead of the legacy hybrid retriever.
-  if (config.memory.simplified.enabled) {
-    return handleSimplifiedMemoryRecall(query.trim(), scopeId ?? "default");
-  }
-
   // Scope policy: "conversation" means strict (only that scope),
   // anything else allows fallback to the default scope.
   const scopePolicyOverride: ScopePolicyOverride | undefined = scopeId
@@ -432,113 +411,6 @@ export async function handleMemoryDelete(
   }
 }
 
-// ── Simplified memory helpers ────────────────────────────────────────
-
-/**
- * Save a memory item as an observation + chunk in the simplified system.
- * This is used when simplified memory is enabled instead of writing to
- * the legacy memory_items table.
- */
-function handleSimplifiedMemorySave(
-  kind: string,
-  subject: string,
-  statement: string,
-  conversationId: string,
-  messageId: string | undefined,
-  scopeId: string,
-): ToolExecutionResult {
-  try {
-    const trimmedStatement = truncate(statement, 500, "");
-    const content = `[${kind}] ${subject}: ${trimmedStatement}`;
-
-    const result = insertObservation({
-      conversationId,
-      messageId: messageId ?? null,
-      role: "user",
-      content,
-      scopeId,
-      modality: "text",
-      source: "tool:memory_save",
-    });
-
-    log.debug(
-      {
-        observationId: result.observationId,
-        chunkId: result.chunkId,
-        kind,
-        subject,
-        conversationId,
-        messageId,
-      },
-      "Memory saved via simplified system",
-    );
-
-    return {
-      content: `Saved to memory (ID: ${result.observationId}).\nKind: ${kind}\nSubject: ${subject}\nStatement: ${trimmedStatement}`,
-      isError: false,
-    };
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    log.error({ err }, "simplified memory_save failed");
-    return { content: `Error: Failed to save memory: ${msg}`, isError: true };
-  }
-}
-
-/**
- * Recall memories using the simplified archive recall path instead of
- * the legacy hybrid retriever.
- */
-function handleSimplifiedMemoryRecall(
-  query: string,
-  scopeId: string,
-): ToolExecutionResult {
-  try {
-    const recallResult = buildArchiveRecall(scopeId, query);
-
-    if (recallResult.bullets.length === 0) {
-      return {
-        content: JSON.stringify({
-          text: "No matching memories found.",
-          resultCount: 0,
-          degraded: false,
-          items: [],
-          sources: { semantic: 0, recency: 0 },
-        }),
-        isError: false,
-      };
-    }
-
-    const items = recallResult.bullets.map((b) => ({
-      id: b.sourceId,
-      type: b.source,
-      kind: b.source,
-    }));
-
-    const result = {
-      text: recallResult.text,
-      resultCount: recallResult.bullets.length,
-      degraded: false,
-      items,
-      sources: {
-        semantic: recallResult.prefetchHitCount,
-        recency: 0,
-      },
-    };
-
-    return {
-      content: JSON.stringify(result),
-      isError: false,
-    };
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    log.error({ err, query }, "simplified memory_recall failed");
-    return {
-      content: `Error: Memory recall failed: ${msg}`,
-      isError: true,
-    };
-  }
-}
-
 // ── Helpers ──────────────────────────────────────────────────────────
 
 function inferSubjectFromStatement(statement: string): string {

package/src/tools/permission-checker.ts

@@ -137,6 +137,24 @@ export class PermissionChecker {
       }
 
       if (result.decision === "prompt") {
+        // dangerouslySkipPermissions: when enabled, auto-approve all prompts
+        // without user interaction. Deny rules are still respected (they
+        // return before reaching this block).
+        //
+        // Note: unlike guardian auto-approve and temporary overrides below,
+        // this intentionally does NOT check `context.requireFreshApproval`.
+        // The setting is designed to skip ALL interactive prompts
+        // unconditionally — it is an explicit operator opt-out from the
+        // permission system, so requireFreshApproval does not apply.
+        const cfg = getConfig();
+        if (cfg.permissions.dangerouslySkipPermissions) {
+          log.info(
+            { toolName: name, riskLevel },
+            "dangerouslySkipPermissions active — auto-approving without prompt",
+          );
+          return { allowed: true, decision: "dangerously_skip_permissions", riskLevel };
+        }
+
         // Guardian-trust sessions (e.g. scheduled jobs, reminders) should be
         // able to use bundled tools without interactive approval. The guardian
         // is the owner - prompting makes no sense when there is no client.

package/src/tools/skills/load.ts

@@ -440,9 +440,16 @@ export class SkillLoadTool implements Tool {
                 "Rendered inline command expansions for included skill",
               );
             } catch (err) {
-              log.warn(
+              log.error(
                 { err, skillId: childId, parentSkillId: skill.id },
-                "Failed to render inline commands for included skill, using raw body",
+                "Failed to render inline commands for included skill; falling back to sanitized body",
+              );
+              // Strip raw !`...` inline command tokens so they don't leak into
+              // the prompt. Replace with a safe stub to maintain fail-closed
+              // contract for raw tokens while still isolating child failures.
+              childBody = childBody.replace(
+                /!`[^`]*`/g,
+                "[inline command unavailable]",
               );
             }
           }

package/src/util/platform.ts

@@ -436,11 +436,11 @@ export function ensureDataDir(): void {
   const dirs = [
     // Root-level dirs (runtime)
     root,
-    // protected, signals, hooks are local-only — skip in containerized mode
-    // (credentials via CES HTTP API, trust via gateway API, no IPC signals)
-    ...(containerized
-      ? []
-      : [join(root, "protected"), join(root, "signals"), join(root, "hooks")]),
+    // signals dir is needed everywhere (MCP reload, user-message signals)
+    join(root, "signals"),
+    // protected, hooks are local-only — skip in containerized mode
+    // (credentials via CES HTTP API, trust via gateway API)
+    ...(containerized ? [] : [join(root, "protected"), join(root, "hooks")]),
     // Workspace dirs
     workspace,
     join(workspace, "skills"),

package/src/util/xml.ts

@@ -6,3 +6,11 @@ export function escapeXmlAttr(s: string): string {
     .replace(/</g, "&lt;")
     .replace(/>/g, "&gt;");
 }
+
+/** Escape a string for safe inclusion as XML/HTML text content. */
+export function escapeXmlContent(s: string): string {
+  return s
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;");
+}

package/src/workspace/heartbeat-service.ts

@@ -210,13 +210,11 @@ export class WorkspaceHeartbeatService {
 
       try {
         const now = this.now();
-        let shutdownFiles: string[] = [];
         const { committed } = await service.commitIfDirty(
           (st) => {
             const uniqueFiles = [
               ...new Set([...st.staged, ...st.modified, ...st.untracked]),
             ];
-            shutdownFiles = uniqueFiles;
             log.info(
               { workspaceDir, totalChanges: uniqueFiles.length },
               "Committing pending changes on shutdown",
@@ -237,28 +235,11 @@ export class WorkspaceHeartbeatService {
         if (committed) {
           firstSeenDirty.delete(workspaceDir);
           result.committed++;
-
-          // Fire-and-forget enrichment
-          try {
-            const commitHash = await service.getHeadHash();
-            const shutdownCtx: CommitContext = {
-              workspaceDir,
-              trigger: "shutdown",
-              changedFiles: shutdownFiles,
-              timestampMs: this.now(),
-            };
-            getEnrichmentService().enqueue({
-              workspaceDir,
-              commitHash,
-              context: shutdownCtx,
-              gitService: service,
-            });
-          } catch (enrichErr) {
-            log.debug(
-              { enrichErr },
-              "Failed to enqueue shutdown enrichment (non-fatal)",
-            );
-          }
+          // Skip enrichment for shutdown commits — the enrichment queue is
+          // about to be shut down anyway, and the fire-and-forget writeNote()
+          // can race with subsequent commitAllPending() calls (the async
+          // git-notes operation acquires the mutex and may leave behind an
+          // index.lock on some git versions, causing the next commit to fail).
         } else {
           result.skipped++;
         }