@vellumai/assistant 0.5.5 → 0.5.7

package/src/security/secure-keys.ts

@@ -1,15 +1,17 @@
 /**
- * Unified secure key storage — single-writer routing through CredentialBackend
+ * Unified secure key storage — single-backend routing through CredentialBackend
  * adapters.
  *
- * Backend selection (`resolveBackend`) is the single decision point:
- *   - Containerized (IS_CONTAINERIZED + CES_CREDENTIAL_URL set): CES HTTP client.
- *   - Production (VELLUM_DEV unset or "0"): keychain backend when available.
- *   - Dev mode (VELLUM_DEV=1): encrypted file store always.
+ * Backend selection (`resolveBackendAsync`) is the single async decision point:
+ *   1. CES RPC (primary) — injected via `setCesClient()`: delegates credential
+ *      operations to the CES process over stdio RPC. This is the default path
+ *      for all local modes (desktop app, dev, CLI).
+ *   2. CES HTTP — containerized mode (IS_CONTAINERIZED + CES_CREDENTIAL_URL):
+ *      delegates to the CES sidecar over HTTP. Used in Docker/managed mode.
+ *   3. Encrypted file store (fallback) — used when CES is unavailable.
  *
- * Writes go to exactly one backend (no dual-writing). Reads in keychain mode
- * fall back to the encrypted store for keys that haven't been migrated yet.
- * Deletes clean up both stores regardless of mode.
+ * All operations (reads, writes, lists, deletes) go to exactly one backend.
+ * There are no cross-backend fallbacks or merges.
  */
 
 import type {
@@ -19,13 +21,12 @@ import type {
 
 import providerEnvVarsRegistry from "../../../meta/provider-env-vars.json" with { type: "json" };
 import { getIsContainerized } from "../config/env-registry.js";
+import type { CesClient } from "../credential-execution/client.js";
 import { getLogger } from "../util/logger.js";
 import { createCesCredentialBackend } from "./ces-credential-client.js";
+import { CesRpcCredentialBackend } from "./ces-rpc-credential-backend.js";
 import type { CredentialBackend, DeleteResult } from "./credential-backend.js";
-import {
-  createEncryptedStoreBackend,
-  createKeychainBackend,
-} from "./credential-backend.js";
+import { createEncryptedStoreBackend } from "./credential-backend.js";
 
 export type { DeleteResult } from "./credential-backend.js";
 
@@ -36,15 +37,24 @@ export type { DeleteResult } from "./credential-backend.js";
  */
 export type { SecureKeyBackend, SecureKeyDeleteResult };
 
+export interface SecureKeyResult {
+  value: string | undefined;
+  unreachable: boolean;
+}
+
 const log = getLogger("secure-keys");
 
-let _keychain: CredentialBackend | undefined;
+let _cesClient: CesClient | undefined;
 let _encryptedStore: CredentialBackend | undefined;
 let _resolvedBackend: CredentialBackend | undefined;
+let _resolvePromise: Promise<CredentialBackend> | undefined;
 
-function getKeychainBackend(): CredentialBackend {
-  if (!_keychain) _keychain = createKeychainBackend();
-  return _keychain;
+/** Inject a CES RPC client for credential routing. Resets the resolved backend. */
+export function setCesClient(client: CesClient | undefined): void {
+  _cesClient = client;
+  // Reset resolved backend so next call picks up CES
+  _resolvedBackend = undefined;
+  _resolvePromise = undefined;
 }
 
 function getEncryptedStoreBackend(): CredentialBackend {
@@ -53,101 +63,96 @@ function getEncryptedStoreBackend(): CredentialBackend {
 }
 
 /**
- * Resolve the primary credential backend for this process.
+ * Resolve the primary credential backend for this process (async).
  *
  * Priority:
- *   1. Containerized + CES_CREDENTIAL_URL → CES HTTP client (skip keychain
- *      and encrypted store entirely — the sidecar owns credential storage).
- *   2. Production (VELLUM_DEV unset or "0") → keychain when available.
- *   3. Dev mode (VELLUM_DEV=1) → encrypted file store always.
+ *   1. CES RPC client → primary path for all local modes.
+ *   2. Containerized + CES_CREDENTIAL_URL → CES HTTP client (Docker/managed).
+ *   3. Encrypted file store → fallback when CES is unavailable.
  *
  * Once resolved, the backend does not change during the process lifetime.
  * Call `_resetBackend()` in tests to clear the cached resolution.
  */
-function resolveBackend(): CredentialBackend {
-  if (!_resolvedBackend) {
-    if (getIsContainerized() && process.env.CES_CREDENTIAL_URL) {
-      const ces = createCesCredentialBackend();
-      if (ces.isAvailable()) {
-        _resolvedBackend = ces;
-      } else {
-        log.warn(
-          "CES_CREDENTIAL_URL is set but CES backend is not available — " +
-            "falling back to local credential store",
-        );
-      }
+async function resolveBackendAsync(): Promise<CredentialBackend> {
+  if (_resolvedBackend) return _resolvedBackend;
+  if (!_resolvePromise) {
+    _resolvePromise = doResolveBackend();
+  }
+  return _resolvePromise;
+}
+
+async function doResolveBackend(): Promise<CredentialBackend> {
+  // 1. CES RPC — primary credential backend for all local modes
+  if (_cesClient) {
+    const cesRpc = new CesRpcCredentialBackend(_cesClient);
+    if (cesRpc.isAvailable()) {
+      _resolvedBackend = cesRpc;
+      return cesRpc;
     }
+    log.warn("CES RPC client is set but not ready — falling back to local credential store");
+  }
 
-    if (!_resolvedBackend) {
-      if (
-        process.env.VELLUM_DEV !== "1" &&
-        getKeychainBackend().isAvailable()
-      ) {
-        _resolvedBackend = getKeychainBackend();
-      } else {
-        _resolvedBackend = getEncryptedStoreBackend();
-      }
+  // 2. CES HTTP — containerized / Docker / managed mode
+  if (getIsContainerized() && process.env.CES_CREDENTIAL_URL) {
+    const ces = createCesCredentialBackend();
+    if (ces.isAvailable()) {
+      _resolvedBackend = ces;
+      return ces;
     }
+    log.warn(
+      "CES_CREDENTIAL_URL is set but CES backend is not available — " +
+        "falling back to local credential store",
+    );
   }
+
+  // 3. Encrypted file store — fallback when CES is unavailable
+  _resolvedBackend = getEncryptedStoreBackend();
   return _resolvedBackend;
 }
 
 /**
- * List all account names across both backends (async).
- *
- * In CES mode, only the CES backend is queried — there are no local stores.
+ * List all account names from the resolved backend (async).
  *
- * When the primary backend is the keychain, this merges keys from the keychain
- * and the encrypted store (for legacy keys that haven't been migrated). The
- * result is deduplicated. When the primary backend is already the encrypted
- * store, only that store is queried.
+ * Queries exactly one backend — no cross-store merge.
  */
 export async function listSecureKeysAsync(): Promise<string[]> {
-  const backend = resolveBackend();
-  const primaryKeys = await backend.list();
-
-  // CES mode — the sidecar is the single source of truth, no local merge.
-  if (backend.name === "ces-http") return primaryKeys;
-
-  // If primary backend is NOT the encrypted store, also check
-  // the encrypted store for legacy keys that haven't been migrated.
-  if (backend !== getEncryptedStoreBackend()) {
-    const encKeys = await getEncryptedStoreBackend().list();
-    const merged = new Set([...primaryKeys, ...encKeys]);
-    return Array.from(merged);
-  }
-
-  return primaryKeys;
+  const backend = await resolveBackendAsync();
+  return backend.list();
 }
 
 // ---------------------------------------------------------------------------
-// Async CRUD — single-writer routing
+// Async CRUD — single-backend routing
 // ---------------------------------------------------------------------------
 
 /**
- * Retrieve a secret from secure storage. Reads from the primary backend
- * first. In CES mode, the sidecar is the single source of truth — no
- * local fallback. In local mode, if the primary backend is the keychain,
- * falls back to the encrypted store for legacy keys that haven't been
- * migrated.
+ * Retrieve a secret from secure storage with richer result metadata.
+ *
+ * Returns both the value (if found) and whether the backend was
+ * unreachable. Callers that need to distinguish "not found" from
+ * "backend down" should use this instead of `getSecureKeyAsync`.
+ *
+ * Reads from exactly one backend — no cross-store fallback.
  */
-export async function getSecureKeyAsync(
+export async function getSecureKeyResultAsync(
   account: string,
-): Promise<string | undefined> {
-  const backend = resolveBackend();
+): Promise<SecureKeyResult> {
+  const backend = await resolveBackendAsync();
   const result = await backend.get(account);
-  if (result != null) return result;
-
-  // CES mode — no local fallback.
-  if (backend.name === "ces-http") return undefined;
-
-  // Legacy fallback: if primary backend is NOT the encrypted store,
-  // check the encrypted store for keys that haven't been migrated.
-  if (backend !== getEncryptedStoreBackend()) {
-    return await getEncryptedStoreBackend().get(account);
+  if (result.value != null) {
+    return { value: result.value, unreachable: false };
   }
+  return { value: undefined, unreachable: result.unreachable };
+}
 
-  return undefined;
+/**
+ * Retrieve a secret from secure storage. Convenience wrapper over
+ * `getSecureKeyResultAsync` that returns only the value.
+ */
+export async function getSecureKeyAsync(
+  account: string,
+): Promise<string | undefined> {
+  const result = await getSecureKeyResultAsync(account);
+  return result.value;
 }
 
 /**
@@ -158,7 +163,7 @@ export async function setSecureKeyAsync(
   account: string,
   value: string,
 ): Promise<boolean> {
-  const backend = resolveBackend();
+  const backend = await resolveBackendAsync();
   const ok = await backend.set(account, value);
   if (!ok) {
     log.warn(
@@ -172,38 +177,13 @@ export async function setSecureKeyAsync(
 /**
  * Delete a secret from secure storage.
  *
- * In containerized mode with CES, deletion is routed exclusively through the
- * CES backend — there are no local stores to clean up.
- *
- * In local mode, always attempts deletion on both the keychain backend (if
- * available) and the encrypted store backend, regardless of routing mode.
- * This cleans up legacy data from both stores.
+ * Deletes from exactly one backend — no cross-store cleanup.
  */
 export async function deleteSecureKeyAsync(
   account: string,
 ): Promise<DeleteResult> {
-  const backend = resolveBackend();
-
-  // In CES mode, the sidecar is the only store — no local cleanup needed.
-  if (backend.name === "ces-http") {
-    return backend.delete(account);
-  }
-
-  const keychain = getKeychainBackend();
-  const enc = getEncryptedStoreBackend();
-
-  let keychainResult: DeleteResult = "not-found";
-  if (keychain.isAvailable()) {
-    keychainResult = await keychain.delete(account);
-  }
-
-  const encResult = await enc.delete(account);
-
-  // Return "error" if either errored
-  if (keychainResult === "error" || encResult === "error") return "error";
-  // Return "deleted" if either deleted
-  if (keychainResult === "deleted" || encResult === "deleted") return "deleted";
-  return "not-found";
+  const backend = await resolveBackendAsync();
+  return backend.delete(account);
 }
 
 // ---------------------------------------------------------------------------
@@ -263,7 +243,8 @@ export async function getMaskedProviderKey(
 
 /** @internal Test-only: reset the cached backends so they're re-created. */
 export function _resetBackend(): void {
-  _keychain = undefined;
+  _cesClient = undefined;
   _encryptedStore = undefined;
   _resolvedBackend = undefined;
+  _resolvePromise = undefined;
 }

package/src/skills/catalog-install.ts

@@ -88,11 +88,7 @@ function getConfigPlatformUrl(): string | undefined {
 }
 
 function getPlatformUrl(): string {
-  return (
-    process.env.VELLUM_PLATFORM_URL ??
-    getConfigPlatformUrl() ??
-    "https://platform.vellum.ai"
-  );
+  return process.env.VELLUM_PLATFORM_URL ?? getConfigPlatformUrl() ?? "";
 }
 
 function buildHeaders(): Record<string, string> {
@@ -107,7 +103,11 @@ function buildHeaders(): Record<string, string> {
 // ─── Catalog operations ──────────────────────────────────────────────────────
 
 export async function fetchCatalog(): Promise<CatalogSkill[]> {
-  const url = `${getPlatformUrl()}/v1/skills/`;
+  const platformUrl = getPlatformUrl();
+  if (!platformUrl) {
+    return [];
+  }
+  const url = `${platformUrl}/v1/skills/`;
   const response = await fetch(url, {
     headers: buildHeaders(),
     signal: AbortSignal.timeout(10000),
@@ -214,7 +214,13 @@ export async function fetchAndExtractSkill(
   skillId: string,
   destDir: string,
 ): Promise<void> {
-  const url = `${getPlatformUrl()}/v1/skills/${encodeURIComponent(skillId)}/`;
+  const platformUrl = getPlatformUrl();
+  if (!platformUrl) {
+    throw new Error(
+      `Cannot fetch skill "${skillId}": VELLUM_PLATFORM_URL is not configured.`,
+    );
+  }
+  const url = `${platformUrl}/v1/skills/${encodeURIComponent(skillId)}/`;
   const response = await fetch(url, {
     headers: buildHeaders(),
     signal: AbortSignal.timeout(15000),

package/src/skills/inline-command-render.ts

@@ -14,6 +14,7 @@
  */
 
 import { getLogger } from "../util/logger.js";
+import { escapeXmlContent } from "../util/xml.js";
 import type { InlineCommandExpansion } from "./inline-command-expansions.js";
 import type { InlineCommandResult } from "./inline-command-runner.js";
 import { runInlineCommand } from "./inline-command-runner.js";
@@ -91,7 +92,10 @@ export async function renderInlineCommands(
 
     let replacement: string;
     if (commandResult.ok) {
-      replacement = wrapInXml(expansion.placeholderId, commandResult.output);
+      replacement = wrapInXml(
+        expansion.placeholderId,
+        escapeXmlContent(commandResult.output),
+      );
       expandedCount++;
     } else {
       const stub = failureReasonToStub(commandResult);

package/src/skills/inline-command-runner.ts

@@ -37,6 +37,15 @@ const DEFAULT_TIMEOUT_MS = 10_000;
 /** Maximum output characters before truncation. */
 const MAX_OUTPUT_CHARS = 20_000;
 
+/**
+ * Maximum bytes to buffer from stdout during streaming. Once this limit is
+ * reached we stop accepting data so a long-running command (e.g. `yes`) cannot
+ * grow memory unbounded before the timeout fires. Set generously above
+ * MAX_OUTPUT_CHARS to account for multi-byte UTF-8 and ANSI sequences that will
+ * be stripped before the character-level clamp.
+ */
+const MAX_STDOUT_BUFFER_BYTES = MAX_OUTPUT_CHARS * 4;
+
 /**
  * ANSI escape sequence pattern (covers SGR, cursor movement, erase, etc.).
  * Matches: ESC[ ... final_byte  and  ESC] ... ST  (OSC sequences).
@@ -115,7 +124,9 @@ export async function runInlineCommand(
 
   return new Promise<InlineCommandResult>((resolve) => {
     let timedOut = false;
+    let stdoutCapped = false;
     const stdoutChunks: Buffer[] = [];
+    let stdoutBytes = 0;
 
     let child: ReturnType<typeof spawn>;
     try {
@@ -140,7 +151,19 @@ export async function runInlineCommand(
       child.kill("SIGKILL");
     }, timeoutMs);
 
-    child.stdout!.on("data", (data: Buffer) => stdoutChunks.push(data));
+    child.stdout!.on("data", (data: Buffer) => {
+      if (stdoutBytes >= MAX_STDOUT_BUFFER_BYTES) return;
+      stdoutChunks.push(data);
+      stdoutBytes += data.length;
+      if (stdoutBytes >= MAX_STDOUT_BUFFER_BYTES) {
+        // Stop reading to release backpressure on the child process.
+        // This destroys the read end of the pipe, which may cause the
+        // child to receive SIGPIPE and exit with code=null. The
+        // stdoutCapped flag lets the close handler treat this as success.
+        stdoutCapped = true;
+        child.stdout!.destroy();
+      }
+    });
 
     child.on("close", (code) => {
       clearTimeout(timer);
@@ -157,7 +180,12 @@ export async function runInlineCommand(
       }
 
       // ── Non-zero exit ────────────────────────────────────────────────
-      if (code !== 0) {
+      // When stdout was capped we destroyed the read end of the pipe,
+      // which typically causes SIGPIPE — the process is killed by the
+      // signal so the exit code is null. Only suppress the error in that
+      // specific case; a command that outputs a lot but exits with a
+      // genuine non-zero code (e.g. exit 1) should still be an error.
+      if (code !== 0 && !(stdoutCapped && code == null)) {
         log.debug(
           { command, exitCode: code },
           "Inline command exited with non-zero code",

package/src/telemetry/usage-telemetry-reporter.ts

@@ -140,7 +140,7 @@ export class UsageTelemetryReporter {
 
       // Resolve auth context — skip flush when neither auth mode is viable
       const client = await VellumPlatformClient.create();
-      if (!client && !getTelemetryAppToken()) {
+      if (!client && (!getTelemetryAppToken() || !getTelemetryPlatformUrl())) {
         return;
       }
 
@@ -203,7 +203,9 @@ export class UsageTelemetryReporter {
       if (client) {
         resp = await client.fetch(TELEMETRY_PATH, fetchInit);
       } else {
-        const url = `${getTelemetryPlatformUrl()}${TELEMETRY_PATH}`;
+        const platformUrl = getTelemetryPlatformUrl();
+        if (!platformUrl) return;
+        const url = `${platformUrl}${TELEMETRY_PATH}`;
         resp = await fetch(url, {
           ...fetchInit,
           headers: {

package/src/tools/calls/call-start.ts

@@ -46,6 +46,7 @@ export async function executeCallStart(
       | "assistant_number"
       | "user_number"
       | undefined,
+    skipDisclosure: input.skip_disclosure === true,
   });
 
   if (!result.ok) {

package/src/tools/executor.ts

@@ -183,10 +183,6 @@ export class ToolExecutor {
         );
         // Buffer so the shell's own timeout fires first and handles cleanup
         toolTimeoutMs = (shellTimeoutSec + 5) * 1000;
-      } else if (name === "claude_code") {
-        // Claude Code spawns a subprocess that manages its own turn limits
-        // (maxTurns). Give it a generous timeout so it isn't killed mid-task.
-        toolTimeoutMs = 10 * 60 * 1000; // 10 minutes
       } else {
         const rawTimeoutSec = getConfig().timeouts.toolExecutionTimeoutSec;
         toolTimeoutMs = safeTimeoutMs(rawTimeoutSec);

package/src/tools/memory/handlers.ts

@@ -2,8 +2,6 @@ import { and, eq, ne } from "drizzle-orm";
 import { v4 as uuid } from "uuid";
 
 import type { AssistantConfig } from "../../config/types.js";
-import { buildArchiveRecall } from "../../memory/archive-recall.js";
-import { insertObservation } from "../../memory/archive-store.js";
 import { getDb } from "../../memory/db.js";
 import { computeMemoryFingerprint } from "../../memory/fingerprint.js";
 import { enqueueMemoryJob } from "../../memory/jobs-store.js";
@@ -20,7 +18,7 @@ const log = getLogger("memory-tools");
 
 export async function handleMemorySave(
   args: Record<string, unknown>,
-  config: AssistantConfig,
+  _config: AssistantConfig,
   conversationId: string,
   messageId: string | undefined,
   scopeId: string = "default",
@@ -65,19 +63,6 @@ export async function handleMemorySave(
       ? truncate(args.subject.trim(), 80, "")
       : inferSubjectFromStatement(statement.trim());
 
-  // When simplified memory is enabled, save directly to the simplified
-  // observation/chunk tables instead of the legacy memory_items table.
-  if (config.memory.simplified.enabled) {
-    return handleSimplifiedMemorySave(
-      kind,
-      subject,
-      statement.trim(),
-      conversationId,
-      messageId,
-      scopeId,
-    );
-  }
-
   try {
     const db = getDb();
     const id = uuid();
@@ -290,12 +275,6 @@ export async function handleMemoryRecall(
       ? args.scope.trim()
       : "default";
 
-  // When simplified memory is enabled, use the archive recall path
-  // instead of the legacy hybrid retriever.
-  if (config.memory.simplified.enabled) {
-    return handleSimplifiedMemoryRecall(query.trim(), scopeId ?? "default");
-  }
-
   // Scope policy: "conversation" means strict (only that scope),
   // anything else allows fallback to the default scope.
   const scopePolicyOverride: ScopePolicyOverride | undefined = scopeId
@@ -432,113 +411,6 @@ export async function handleMemoryDelete(
   }
 }
 
-// ── Simplified memory helpers ────────────────────────────────────────
-
-/**
- * Save a memory item as an observation + chunk in the simplified system.
- * This is used when simplified memory is enabled instead of writing to
- * the legacy memory_items table.
- */
-function handleSimplifiedMemorySave(
-  kind: string,
-  subject: string,
-  statement: string,
-  conversationId: string,
-  messageId: string | undefined,
-  scopeId: string,
-): ToolExecutionResult {
-  try {
-    const trimmedStatement = truncate(statement, 500, "");
-    const content = `[${kind}] ${subject}: ${trimmedStatement}`;
-
-    const result = insertObservation({
-      conversationId,
-      messageId: messageId ?? null,
-      role: "user",
-      content,
-      scopeId,
-      modality: "text",
-      source: "tool:memory_save",
-    });
-
-    log.debug(
-      {
-        observationId: result.observationId,
-        chunkId: result.chunkId,
-        kind,
-        subject,
-        conversationId,
-        messageId,
-      },
-      "Memory saved via simplified system",
-    );
-
-    return {
-      content: `Saved to memory (ID: ${result.observationId}).\nKind: ${kind}\nSubject: ${subject}\nStatement: ${trimmedStatement}`,
-      isError: false,
-    };
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    log.error({ err }, "simplified memory_save failed");
-    return { content: `Error: Failed to save memory: ${msg}`, isError: true };
-  }
-}
-
-/**
- * Recall memories using the simplified archive recall path instead of
- * the legacy hybrid retriever.
- */
-function handleSimplifiedMemoryRecall(
-  query: string,
-  scopeId: string,
-): ToolExecutionResult {
-  try {
-    const recallResult = buildArchiveRecall(scopeId, query);
-
-    if (recallResult.bullets.length === 0) {
-      return {
-        content: JSON.stringify({
-          text: "No matching memories found.",
-          resultCount: 0,
-          degraded: false,
-          items: [],
-          sources: { semantic: 0, recency: 0 },
-        }),
-        isError: false,
-      };
-    }
-
-    const items = recallResult.bullets.map((b) => ({
-      id: b.sourceId,
-      type: b.source,
-      kind: b.source,
-    }));
-
-    const result = {
-      text: recallResult.text,
-      resultCount: recallResult.bullets.length,
-      degraded: false,
-      items,
-      sources: {
-        semantic: recallResult.prefetchHitCount,
-        recency: 0,
-      },
-    };
-
-    return {
-      content: JSON.stringify(result),
-      isError: false,
-    };
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    log.error({ err, query }, "simplified memory_recall failed");
-    return {
-      content: `Error: Memory recall failed: ${msg}`,
-      isError: true,
-    };
-  }
-}
-
 // ── Helpers ──────────────────────────────────────────────────────────
 
 function inferSubjectFromStatement(statement: string): string {

package/src/tools/network/script-proxy/session-manager.ts

@@ -61,10 +61,25 @@ const store = new SessionStore();
 /**
  * Host patterns that are allowed by default through the proxy policy engine,
  * regardless of session configuration. Supports exact matches (e.g.
- * `"localhost"`) and wildcard subdomain patterns (e.g. `"*.vellum.ai"`
- * matches `platform.vellum.ai`, `dev-platform.vellum.ai`, etc.).
+ * `"localhost"`) and wildcard subdomain patterns (e.g. `"*.example.com"`
+ * matches `api.example.com`, `dev.example.com`, etc.).
+ *
+ * Additional patterns can be added via the `PROXY_ALLOWED_HOSTS` env var
+ * (comma-separated, e.g. `"*.example.com,api.foo.bar"`).
  */
-const ALLOWED_HOST_PATTERNS: readonly string[] = ["*.vellum.ai", "localhost"];
+const ALLOWED_HOST_PATTERNS: readonly string[] = (() => {
+  const extra = process.env.PROXY_ALLOWED_HOSTS?.trim();
+  const defaults = ["localhost"];
+  if (extra) {
+    defaults.push(
+      ...extra
+        .split(",")
+        .map((h) => h.trim())
+        .filter(Boolean),
+    );
+  }
+  return defaults;
+})();
 
 /**
  * Returns `true` when `hostname` matches any entry in
@@ -73,7 +88,7 @@ const ALLOWED_HOST_PATTERNS: readonly string[] = ["*.vellum.ai", "localhost"];
 function isAllowedHost(hostname: string): boolean {
   for (const pattern of ALLOWED_HOST_PATTERNS) {
     if (pattern.startsWith("*.")) {
-      const suffix = pattern.slice(1); // e.g. ".vellum.ai"
+      const suffix = pattern.slice(1); // e.g. ".example.com"
       if (hostname.endsWith(suffix) || hostname === pattern.slice(2)) {
         return true;
       }

package/src/tools/network/web-fetch.ts

@@ -573,7 +573,9 @@ export async function executeWebFetch(
       Accept:
         "text/markdown, text/html;q=0.9, application/xhtml+xml;q=0.9, text/plain;q=0.8, application/json;q=0.7, */*;q=0.6",
       "Accept-Encoding": "identity",
-      "User-Agent": "VellumAssistant/1.0 (+https://vellum.ai)",
+      "User-Agent":
+        process.env.HTTP_USER_AGENT ||
+        "VellumAssistant/1.0 (+https://vellum.ai)",
     };
 
     let currentUrl = new URL(requestedUrl);