@vellumai/assistant 0.5.6 → 0.5.7

package/src/config/loader.ts

@@ -2,19 +2,15 @@ import {
   existsSync,
   mkdirSync,
   readFileSync,
+  renameSync,
   statSync,
   writeFileSync,
 } from "node:fs";
-import { dirname } from "node:path";
+import { dirname, join } from "node:path";
 
 import { ConfigError } from "../util/errors.js";
 import { getLogger } from "../util/logger.js";
-import {
-  ensureDataDir,
-  getWorkspaceConfigPath,
-  readLockfile,
-  writeLockfile,
-} from "../util/platform.js";
+import { ensureDataDir, getWorkspaceConfigPath } from "../util/platform.js";
 import { AssistantConfigSchema } from "./schema.js";
 import type { AssistantConfig } from "./types.js";
 
@@ -214,6 +210,35 @@ export function deepMergeMissing(
   return changed;
 }
 
+/**
+ * Deep-merge `overrides` into `target`, overwriting leaf values.
+ * Recursively merges nested objects; scalars and arrays from `overrides`
+ * replace corresponding values in `target`.
+ */
+export function deepMergeOverwrite(
+  target: Record<string, unknown>,
+  overrides: Record<string, unknown>,
+): void {
+  for (const key of Object.keys(overrides)) {
+    const ov = overrides[key];
+    if (
+      ov != null &&
+      typeof ov === "object" &&
+      !Array.isArray(ov) &&
+      target[key] != null &&
+      typeof target[key] === "object" &&
+      !Array.isArray(target[key])
+    ) {
+      deepMergeOverwrite(
+        target[key] as Record<string, unknown>,
+        ov as Record<string, unknown>,
+      );
+    } else {
+      target[key] = ov;
+    }
+  }
+}
+
 /**
  * Read the existing config.json from disk, merge any missing schema-default
  * keys, and rewrite only when there is an effective change.
@@ -248,6 +273,72 @@ function backfillConfigDefaults(
   }
 }
 
+/**
+ * Merge default workspace config from the file referenced by
+ * VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH into the workspace config on disk.
+ *
+ * Called once at daemon startup (before the first loadConfig()) so the
+ * defaults are persisted to the workspace config file alongside any
+ * schema-level defaults that loadConfig() backfills.
+ */
+export function mergeDefaultWorkspaceConfig(): void {
+  const defaultConfigPath = process.env.VELLUM_DEFAULT_WORKSPACE_CONFIG_PATH;
+  if (!defaultConfigPath || !existsSync(defaultConfigPath)) return;
+
+  let defaults: unknown;
+  try {
+    defaults = JSON.parse(readFileSync(defaultConfigPath, "utf-8"));
+  } catch (err) {
+    log.warn(
+      { err },
+      "Failed to read default workspace config from %s",
+      defaultConfigPath,
+    );
+    return;
+  }
+
+  if (
+    defaults == null ||
+    typeof defaults !== "object" ||
+    Array.isArray(defaults)
+  ) {
+    return;
+  }
+
+  const configPath = getConfigPath();
+  let existing: Record<string, unknown> = {};
+  if (existsSync(configPath)) {
+    try {
+      existing = JSON.parse(readFileSync(configPath, "utf-8"));
+    } catch {
+      // If existing config is corrupt, start fresh
+    }
+  }
+
+  deepMergeOverwrite(existing, defaults as Record<string, unknown>);
+
+  const dir = dirname(configPath);
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true });
+  }
+  writeFileSync(configPath, JSON.stringify(existing, null, 2) + "\n");
+
+  // Move the temp file into the workspace directory as a permanent record.
+  // This prevents re-application on daemon restart (the env var still points
+  // at the old /tmp path which no longer exists).
+  try {
+    const dest = join(dir, "default-config.json");
+    renameSync(defaultConfigPath, dest);
+    log.info(
+      "Merged default workspace config from %s (archived to %s)",
+      defaultConfigPath,
+      dest,
+    );
+  } catch {
+    log.info("Merged default workspace config from %s", defaultConfigPath);
+  }
+}
+
 export function loadConfig(): AssistantConfig {
   if (cached) return cached;
 
@@ -375,30 +466,6 @@ export function saveRawConfig(config: Record<string, unknown>): void {
   cached = null; // invalidate cache
 }
 
-/**
- * Sync client-relevant config values (e.g. platform.baseUrl) to the lockfile
- * so external tools (e.g. vel) can discover them without importing the full
- * config schema.  Mirrors the behaviour of `syncConfigToLockfile` in the
- * lightweight CLI (`cli/src/lib/assistant-config.ts`).
- */
-export function syncConfigToLockfile(): void {
-  const configPath = getWorkspaceConfigPath();
-  if (!existsSync(configPath)) return;
-
-  try {
-    const raw = JSON.parse(readFileSync(configPath, "utf-8")) as Record<
-      string,
-      unknown
-    >;
-    const platform = raw.platform as Record<string, unknown> | undefined;
-    const data = readLockfile() ?? {};
-    data.platformBaseUrl = (platform?.baseUrl as string) || undefined;
-    writeLockfile(data);
-  } catch {
-    // Config file unreadable — skip sync
-  }
-}
-
 export function getNestedValue(
   obj: Record<string, unknown>,
   path: string,

package/src/config/schema.ts

@@ -40,6 +40,8 @@ export {
   ElevenLabsConfigSchema,
   VALID_CONVERSATION_TIMEOUTS,
 } from "./schemas/elevenlabs.js";
+export type { FishAudioConfig } from "./schemas/fish-audio.js";
+export { FishAudioConfigSchema } from "./schemas/fish-audio.js";
 export type { HeartbeatConfig } from "./schemas/heartbeat.js";
 export { HeartbeatConfigSchema } from "./schemas/heartbeat.js";
 export type {
@@ -173,8 +175,6 @@ export {
   SkillsInstallConfigSchema,
   SkillsLoadConfigSchema,
 } from "./schemas/skills.js";
-export type { SwarmConfig } from "./schemas/swarm.js";
-export { SwarmConfigSchema } from "./schemas/swarm.js";
 export type { RateLimitConfig, TimeoutConfig } from "./schemas/timeouts.js";
 export {
   RateLimitConfigSchema,
@@ -193,6 +193,7 @@ import {
   WhatsAppConfigSchema,
 } from "./schemas/channels.js";
 import { ElevenLabsConfigSchema } from "./schemas/elevenlabs.js";
+import { FishAudioConfigSchema } from "./schemas/fish-audio.js";
 import { HeartbeatConfigSchema } from "./schemas/heartbeat.js";
 import {
   ContextWindowConfigSchema,
@@ -223,7 +224,6 @@ import {
   VALID_INFERENCE_PROVIDERS,
 } from "./schemas/services.js";
 import { SkillsConfigSchema } from "./schemas/skills.js";
-import { SwarmConfigSchema } from "./schemas/swarm.js";
 import {
   RateLimitConfigSchema,
   TimeoutConfigSchema,
@@ -281,7 +281,6 @@ export const AssistantConfigSchema = z
         "Custom pricing overrides for specific provider/model combinations",
       ),
     heartbeat: HeartbeatConfigSchema.default(HeartbeatConfigSchema.parse({})),
-    swarm: SwarmConfigSchema.default(SwarmConfigSchema.parse({})),
     mcp: McpConfigSchema.default(McpConfigSchema.parse({})),
     acp: AcpConfigSchema.default(AcpConfigSchema.parse({})),
     skills: SkillsConfigSchema.default(SkillsConfigSchema.parse({})),
@@ -293,6 +292,7 @@ export const AssistantConfigSchema = z
     elevenlabs: ElevenLabsConfigSchema.default(
       ElevenLabsConfigSchema.parse({}),
     ),
+    fishAudio: FishAudioConfigSchema.default(FishAudioConfigSchema.parse({})),
     whatsapp: WhatsAppConfigSchema.default(WhatsAppConfigSchema.parse({})),
     telegram: TelegramConfigSchema.default(TelegramConfigSchema.parse({})),
     slack: SlackConfigSchema.default(SlackConfigSchema.parse({})),
@@ -303,15 +303,6 @@ export const AssistantConfigSchema = z
       NotificationsConfigSchema.parse({}),
     ),
     ui: UiConfigSchema.default(UiConfigSchema.parse({})),
-    assistantFeatureFlagValues: z
-      .record(
-        z.string(),
-        z.boolean({
-          error: "assistantFeatureFlagValues values must be booleans",
-        }),
-      )
-      .optional()
-      .describe("Feature flag overrides — map of flag names to boolean values"),
     collectUsageData: z
       .boolean()
       .default(true)

package/src/config/schemas/calls.ts

@@ -6,6 +6,7 @@ export const VALID_CALLER_IDENTITY_MODES = [
   "user_number",
 ] as const;
 const VALID_CALL_TRANSCRIPTION_PROVIDERS = ["Deepgram", "Google"] as const;
+export const VALID_TTS_PROVIDERS = ["elevenlabs", "fish-audio"] as const;
 
 export const CallsDisclosureConfigSchema = z
   .object({
@@ -57,6 +58,18 @@ export const CallsVoiceConfigSchema = z
       })
       .default("Deepgram")
       .describe("Speech-to-text provider used for call transcription"),
+    speechModel: z
+      .string({ error: "calls.voice.speechModel must be a string" })
+      .optional()
+      .describe(
+        "ASR model to use for speech recognition (e.g. nova-3, nova-2-phonecall for Deepgram; telephony, long for Google)",
+      ),
+    ttsProvider: z
+      .enum(VALID_TTS_PROVIDERS, {
+        error: `calls.voice.ttsProvider must be one of: ${VALID_TTS_PROVIDERS.join(", ")}`,
+      })
+      .default("elevenlabs")
+      .describe("Text-to-speech provider for phone calls"),
   })
   .describe("Voice and speech settings for phone calls");
 

package/src/config/schemas/fish-audio.ts

@@ -0,0 +1,39 @@
+import { z } from "zod";
+
+export const FishAudioConfigSchema = z
+  .object({
+    referenceId: z
+      .string({ error: "fishAudio.referenceId must be a string" })
+      .default("")
+      .describe("Fish Audio voice/clone reference ID"),
+    chunkLength: z
+      .number({ error: "fishAudio.chunkLength must be a number" })
+      .int("fishAudio.chunkLength must be an integer")
+      .min(100, "fishAudio.chunkLength must be >= 100")
+      .max(300, "fishAudio.chunkLength must be <= 300")
+      .default(200)
+      .describe("Text chunk size for streaming synthesis"),
+    format: z
+      .enum(["mp3", "wav", "opus"], {
+        error: "fishAudio.format must be one of: mp3, wav, opus",
+      })
+      .default("mp3")
+      .describe("Output audio format"),
+    latency: z
+      .enum(["normal", "balanced"], {
+        error: "fishAudio.latency must be one of: normal, balanced",
+      })
+      .default("normal")
+      .describe(
+        "Latency/quality tradeoff for Fish Audio S2 synthesis. 'normal' prioritizes lower latency; 'balanced' trades latency for higher quality.",
+      ),
+    speed: z
+      .number({ error: "fishAudio.speed must be a number" })
+      .min(0.5, "fishAudio.speed must be >= 0.5")
+      .max(2.0, "fishAudio.speed must be <= 2.0")
+      .default(1.0)
+      .describe("Playback speed multiplier (0.5 = slower, 2.0 = faster)"),
+  })
+  .describe("Fish Audio text-to-speech configuration");
+
+export type FishAudioConfig = z.infer<typeof FishAudioConfigSchema>;

package/src/config/schemas/security.ts

@@ -50,10 +50,6 @@ export const SecretDetectionConfigSchema = z
       .describe(
         "Whether to allow sending a detected secret once (with user confirmation) before redacting future occurrences",
       ),
-    blockIngress: z
-      .boolean({ error: "secretDetection.blockIngress must be a boolean" })
-      .default(true)
-      .describe("Whether to block secrets in incoming ingress messages"),
     customPatterns: z
       .array(CustomSecretPatternSchema)
       .optional()

package/src/config/types.ts

@@ -35,7 +35,6 @@ export type {
   SkillsInstallConfig,
   SkillsLoadConfig,
   SlackConfig,
-  SwarmConfig,
   ThinkingConfig,
   TimeoutConfig,
   UiConfig,

package/src/contacts/contact-store.ts

@@ -28,6 +28,36 @@ function escapeLike(value: string): string {
   return value.replace(/%/g, "").replace(/_/g, "");
 }
 
+/**
+ * Generate a collision-free slugified filename for a contact's per-user persona file.
+ * Produces filenames like "alice.md", "alice-2.md", "alice-3.md", etc.
+ */
+export function generateUserFileSlug(displayName: string): string {
+  const slug =
+    displayName
+      .toLowerCase()
+      .replace(/[^a-z0-9]+/g, "-")
+      .replace(/^-+|-+$/g, "")
+      .slice(0, 50) || "user";
+
+  const db = getDb();
+  const rows = db
+    .select({ userFile: contacts.userFile })
+    .from(contacts)
+    .where(like(contacts.userFile, `${escapeLike(slug)}%`))
+    .all();
+
+  const taken = new Set(rows.map((r) => r.userFile));
+
+  const base = `${slug}.md`;
+  if (!taken.has(base)) return base;
+
+  for (let i = 2; ; i++) {
+    const candidate = `${slug}-${i}.md`;
+    if (!taken.has(candidate)) return candidate;
+  }
+}
+
 function parseContact(row: typeof contacts.$inferSelect): Contact {
   return {
     id: row.id,
@@ -40,6 +70,7 @@ function parseContact(row: typeof contacts.$inferSelect): Contact {
     role: row.role as Contact["role"],
     contactType: (row.contactType as Contact["contactType"]) ?? "human",
     principalId: row.principalId,
+    userFile: row.userFile ?? null,
   };
 }
 
@@ -148,6 +179,7 @@ export function upsertContact(params: {
   role?: ContactRole;
   contactType?: ContactType;
   principalId?: string | null;
+  userFile?: string | null;
   channels?: SyncChannelData[];
   /** When true, conflicting channels on other contacts are reassigned to this
    *  contact instead of being skipped. Used by invite redemption to bind a
@@ -177,6 +209,7 @@ export function upsertContact(params: {
         updateSet.contactType = params.contactType;
       if (params.principalId !== undefined)
         updateSet.principalId = params.principalId;
+      if (params.userFile !== undefined) updateSet.userFile = params.userFile;
 
       db.update(contacts)
         .set(updateSet)
@@ -224,6 +257,7 @@ export function upsertContact(params: {
           updateSet.contactType = params.contactType;
         if (params.principalId !== undefined)
           updateSet.principalId = params.principalId;
+        if (params.userFile !== undefined) updateSet.userFile = params.userFile;
 
         db.update(contacts)
           .set(updateSet)
@@ -239,6 +273,10 @@ export function upsertContact(params: {
 
   // Create new contact
   contactId = contactId ?? uuid();
+  const userFileValue =
+    params.userFile !== undefined
+      ? params.userFile
+      : generateUserFileSlug(params.displayName);
   db.insert(contacts)
     .values({
       id: contactId,
@@ -247,6 +285,7 @@ export function upsertContact(params: {
       role: params.role ?? "contact",
       contactType: params.contactType ?? "human",
       principalId: params.principalId ?? null,
+      userFile: userFileValue ?? null,
       createdAt: now,
       updatedAt: now,
     })

package/src/contacts/types.ts

@@ -44,6 +44,8 @@ export interface Contact {
    * identified by channel address instead.
    */
   principalId: string | null;
+  /** Workspace-relative path to a per-user persona file for this contact. */
+  userFile: string | null;
 }
 
 export type ChannelStatus =

package/src/credential-execution/approval-bridge.ts

@@ -103,6 +103,7 @@ function mapUserDecisionToCesDecision(
         userDecision: decision,
       };
     case "temporary_override":
+    case "dangerously_skip_permissions":
       return {
         grantDecision: "approved",
         ttl: undefined,

package/src/credential-execution/executable-discovery.ts

@@ -79,6 +79,11 @@ export interface LocalDiscoverySuccess {
   executablePath: string;
 }
 
+export interface LocalSourceDiscoverySuccess {
+  mode: "local-source";
+  sourcePath: string;
+}
+
 export interface ManagedDiscoverySuccess {
   mode: "managed";
   socketPath: string;
@@ -91,6 +96,7 @@ export interface DiscoveryFailure {
 
 export type DiscoveryResult =
   | LocalDiscoverySuccess
+  | LocalSourceDiscoverySuccess
   | ManagedDiscoverySuccess
   | DiscoveryFailure;
 
@@ -101,11 +107,16 @@ export type DiscoveryResult =
 /**
  * Discover the local CES executable.
  *
- * Searches well-known paths for the `credential-executor` binary. Returns
- * a structured result — never throws. If the binary is not found, returns
+ * Searches well-known paths for the `credential-executor` binary. If the
+ * compiled binary is not found, falls back to the TypeScript source entry
+ * point in the monorepo. Returns a structured result — never throws. If
+ * neither the binary nor the source entry point is found, returns
  * `{ mode: "unavailable" }` so the caller can fail closed.
  */
-export function discoverLocalCes(): LocalDiscoverySuccess | DiscoveryFailure {
+export function discoverLocalCes():
+  | LocalDiscoverySuccess
+  | LocalSourceDiscoverySuccess
+  | DiscoveryFailure {
   const searchPaths = getLocalBinarySearchPaths();
 
   for (const candidate of searchPaths) {
@@ -115,7 +126,20 @@ export function discoverLocalCes(): LocalDiscoverySuccess | DiscoveryFailure {
     }
   }
 
-  const reason = `CES executable not found. Searched: ${searchPaths.join(", ")}`;
+  // Fallback: check for source entry point in the monorepo
+  const monorepoRoot = join(import.meta.dir, "..", "..", "..", "..");
+  const sourceEntry = join(
+    monorepoRoot,
+    "credential-executor",
+    "src",
+    "main.ts",
+  );
+  if (existsSync(sourceEntry)) {
+    log.info({ path: sourceEntry }, "Found local CES source entry point");
+    return { mode: "local-source", sourcePath: sourceEntry };
+  }
+
+  const reason = `CES executable not found. Searched: ${searchPaths.join(", ")}; also checked source at ${sourceEntry}`;
   log.warn(reason);
   return { mode: "unavailable", reason };
 }

package/src/credential-execution/feature-gates.ts

@@ -35,6 +35,10 @@ export const CES_GRANT_AUDIT_FLAG_KEY =
 export const CES_MANAGED_SIDECAR_FLAG_KEY =
   "feature_flags.ces-managed-sidecar.enabled" as const;
 
+/** Gate for routing credential reads/writes through the CES process. */
+export const CES_CREDENTIAL_BACKEND_FLAG_KEY =
+  "feature_flags.ces-credential-backend.enabled" as const;
+
 // ---------------------------------------------------------------------------
 // Public API — predicate functions
 // ---------------------------------------------------------------------------
@@ -73,3 +77,15 @@ export function isCesGrantAuditEnabled(config: AssistantConfig): boolean {
 export function isCesManagedSidecarEnabled(config: AssistantConfig): boolean {
   return isAssistantFeatureFlagEnabled(CES_MANAGED_SIDECAR_FLAG_KEY, config);
 }
+
+/**
+ * Whether credential reads and writes should be routed through the CES process.
+ */
+export function isCesCredentialBackendEnabled(
+  config: AssistantConfig,
+): boolean {
+  return isAssistantFeatureFlagEnabled(
+    CES_CREDENTIAL_BACKEND_FLAG_KEY,
+    config,
+  );
+}

package/src/credential-execution/process-manager.ts

@@ -38,6 +38,7 @@ import {
   discoverLocalCes,
   type DiscoveryResult,
   type LocalDiscoverySuccess,
+  type LocalSourceDiscoverySuccess,
   type ManagedDiscoverySuccess,
 } from "./executable-discovery.js";
 import { isCesManagedSidecarEnabled } from "./feature-gates.js";
@@ -156,6 +157,12 @@ export function createCesProcessManager(
         return transport;
       }
 
+      if (discoveryResult.mode === "local-source") {
+        const transport = await startLocalSourceProcess(discoveryResult);
+        running = true;
+        return transport;
+      }
+
       // managed mode
       const transport = await connectManagedSocket(discoveryResult);
       running = true;
@@ -235,6 +242,37 @@ export function createCesProcessManager(
     return createStdioTransport(proc);
   }
 
+  // -------------------------------------------------------------------------
+  // Local source mode — child process over stdio (bun run)
+  // -------------------------------------------------------------------------
+
+  async function startLocalSourceProcess(
+    discovery: LocalSourceDiscoverySuccess,
+  ): Promise<CesTransport> {
+    log.info(
+      { sourcePath: discovery.sourcePath },
+      "Spawning CES child process from source",
+    );
+
+    const proc = Bun.spawn({
+      cmd: ["bun", "run", discovery.sourcePath],
+      stdin: "pipe",
+      stdout: "pipe",
+      stderr: "ignore",
+      env: {
+        ...process.env,
+        // Signal to CES that it was launched by the assistant
+        CES_LAUNCHED_BY: "assistant",
+      },
+    });
+
+    childProcess = proc;
+
+    log.info({ pid: proc.pid }, "CES child process started (from source)");
+
+    return createStdioTransport(proc);
+  }
+
   // -------------------------------------------------------------------------
   // Managed mode — Unix socket connection
   // -------------------------------------------------------------------------

package/src/daemon/assistant-attachments.ts

@@ -76,6 +76,15 @@ const EXTENSION_MIME_MAP: Record<string, string> = {
   js: "text/javascript",
   ts: "text/typescript",
 
+  // Audio
+  mp3: "audio/mpeg",
+  wav: "audio/wav",
+  ogg: "audio/ogg",
+  flac: "audio/flac",
+  aac: "audio/aac",
+  m4a: "audio/x-m4a",
+  opus: "audio/opus",
+
   // Video
   mp4: "video/mp4",
   webm: "video/webm",

package/src/daemon/config-watcher.ts

@@ -12,6 +12,7 @@ import {
 } from "node:fs";
 import { join } from "node:path";
 
+import { clearFeatureFlagOverridesCache } from "../config/assistant-feature-flags.js";
 import { getConfig, invalidateConfigCache } from "../config/loader.js";
 import { clearEmbeddingBackendCache } from "../memory/embedding-backend.js";
 import { clearCache as clearTrustCache } from "../permissions/trust-store.js";
@@ -153,6 +154,10 @@ export class ConfigWatcher {
       "trust.json": () => {
         clearTrustCache();
       },
+      "feature-flags.json": () => {
+        clearFeatureFlagOverridesCache();
+        onConversationEvict();
+      },
       "secret-allowlist.json": () => {
         resetAllowlist();
         try {