@vellumai/assistant 0.5.6 → 0.5.7

package/src/runtime/routes/tts-routes.ts

@@ -0,0 +1,86 @@
+/**
+ * HTTP route definitions for message text-to-speech synthesis.
+ *
+ * POST /v1/messages/:id/tts?conversationId=... — synthesize message text to audio
+ *
+ * Gated behind the `feature_flags.message-tts.enabled` assistant feature flag.
+ * Uses Fish Audio for synthesis when configured.
+ */
+
+import { synthesizeWithFishAudio } from "../../calls/fish-audio-client.js";
+import { isAssistantFeatureFlagEnabled } from "../../config/assistant-feature-flags.js";
+import { getConfig } from "../../config/loader.js";
+import { getMessageContent } from "../../daemon/handlers/conversation-history.js";
+import { getLogger } from "../../util/logger.js";
+import { httpError } from "../http-errors.js";
+import type { RouteDefinition } from "../http-router.js";
+
+const log = getLogger("tts-routes");
+
+const MESSAGE_TTS_FLAG = "feature_flags.message-tts.enabled" as const;
+
+// ---------------------------------------------------------------------------
+// Route definitions
+// ---------------------------------------------------------------------------
+
+export function ttsRouteDefinitions(): RouteDefinition[] {
+  return [
+    {
+      endpoint: "messages/:id/tts",
+      method: "POST",
+      policyKey: "messages/tts",
+      handler: async ({ url, params }) => {
+        const config = getConfig();
+
+        if (!isAssistantFeatureFlagEnabled(MESSAGE_TTS_FLAG, config)) {
+          return httpError("FORBIDDEN", "Message TTS is not enabled", 403);
+        }
+
+        const messageId = params.id;
+        const conversationId =
+          url.searchParams.get("conversationId") ?? undefined;
+
+        const result = getMessageContent(messageId, conversationId);
+        if (!result) {
+          return httpError("NOT_FOUND", `Message ${messageId} not found`, 404);
+        }
+
+        if (!result.text) {
+          return httpError("BAD_REQUEST", "Message has no text content", 400);
+        }
+
+        const { fishAudio } = config;
+        if (!fishAudio?.referenceId) {
+          return httpError(
+            "SERVICE_UNAVAILABLE",
+            "Fish Audio TTS is not configured",
+            503,
+          );
+        }
+
+        try {
+          const audioBuffer = await synthesizeWithFishAudio(
+            result.text,
+            fishAudio,
+          );
+
+          const format = fishAudio.format ?? "mp3";
+          const contentType =
+            format === "wav"
+              ? "audio/wav"
+              : format === "opus"
+                ? "audio/opus"
+                : "audio/mpeg";
+
+          return new Response(new Uint8Array(audioBuffer), {
+            status: 200,
+            headers: { "Content-Type": contentType },
+          });
+        } catch (err) {
+          log.error({ err, messageId }, "TTS synthesis failed");
+          return httpError("INTERNAL_ERROR", "TTS synthesis failed", 502);
+        }
+      },
+    },
+  ];
+}

package/src/runtime/routes/upgrade-broadcast-routes.ts

@@ -1,6 +1,6 @@
 /**
  * Upgrade broadcast endpoint — publishes service group update lifecycle
- * events (starting / complete) to all connected SSE clients.
+ * events (starting / progress / complete) to all connected SSE clients.
  *
  * Protected by a route policy restricting access to gateway service
  * principals only (`svc_gateway` with `internal.write` scope), following
@@ -11,6 +11,7 @@
 
 import type {
   ServiceGroupUpdateComplete,
+  ServiceGroupUpdateProgress,
   ServiceGroupUpdateStarting,
 } from "../../daemon/message-types/upgrades.js";
 import { buildAssistantEvent } from "../assistant-event.js";
@@ -86,6 +87,29 @@ export function upgradeBroadcastRouteDefinitions(): RouteDefinition[] {
           return Response.json({ ok: true });
         }
 
+        if (type === "progress") {
+          const { statusMessage } = body as { statusMessage?: unknown };
+
+          if (typeof statusMessage !== "string" || statusMessage.length === 0) {
+            return httpError(
+              "BAD_REQUEST",
+              "statusMessage is required and must be a non-empty string",
+              400,
+            );
+          }
+
+          const message: ServiceGroupUpdateProgress = {
+            type: "service_group_update_progress",
+            statusMessage,
+          };
+
+          await assistantEventHub.publish(
+            buildAssistantEvent(DAEMON_INTERNAL_ASSISTANT_ID, message),
+          );
+
+          return Response.json({ ok: true });
+        }
+
         if (type === "complete") {
           const { installedVersion, success, rolledBackToVersion } = body as {
             installedVersion?: unknown;
@@ -142,7 +166,7 @@ export function upgradeBroadcastRouteDefinitions(): RouteDefinition[] {
 
         return httpError(
           "BAD_REQUEST",
-          'type must be "starting" or "complete"',
+          'type must be "starting", "progress", or "complete"',
           400,
         );
       },

package/src/runtime/routes/workspace-commit-routes.ts

@@ -0,0 +1,62 @@
+/**
+ * Workspace commit endpoint — creates a git commit in the workspace
+ * directory with all pending changes.
+ *
+ * Protected by a route policy restricting access to gateway service
+ * principals only (`svc_gateway` with `internal.write` scope), following
+ * the same pattern as other gateway-forwarded control-plane endpoints.
+ */
+
+import { getWorkspaceDir } from "../../util/platform.js";
+import { getWorkspaceGitService } from "../../workspace/git-service.js";
+import { httpError } from "../http-errors.js";
+import type { RouteDefinition } from "../http-router.js";
+
+export function workspaceCommitRouteDefinitions(): RouteDefinition[] {
+  return [
+    {
+      endpoint: "admin/workspace-commit",
+      method: "POST",
+      handler: async ({ req }) => {
+        let body: unknown;
+        try {
+          body = await req.json();
+        } catch {
+          return httpError("BAD_REQUEST", "Invalid JSON body", 400);
+        }
+
+        if (!body || typeof body !== "object") {
+          return httpError(
+            "BAD_REQUEST",
+            "Request body must be a JSON object",
+            400,
+          );
+        }
+
+        const { message } = body as { message?: unknown };
+
+        if (typeof message !== "string" || message.length === 0) {
+          return httpError(
+            "BAD_REQUEST",
+            "message is required and must be a non-empty string",
+            400,
+          );
+        }
+
+        try {
+          await getWorkspaceGitService(getWorkspaceDir()).commitChanges(
+            message,
+          );
+          return Response.json({ ok: true });
+        } catch (err) {
+          const detail = err instanceof Error ? err.message : "Unknown error";
+          return httpError(
+            "INTERNAL_ERROR",
+            `Workspace commit failed: ${detail}`,
+            500,
+          );
+        }
+      },
+    },
+  ];
+}

package/src/runtime/routes/workspace-routes.test.ts

@@ -190,9 +190,30 @@ describe("isTextMimeType", () => {
     expect(isTextMimeType("video/mp4")).toBe(false);
   });
 
-  test("application/octet-stream is not text", () => {
+  test("application/octet-stream is not text without filename", () => {
     expect(isTextMimeType("application/octet-stream")).toBe(false);
   });
+
+  test("application/octet-stream with .py filename is text", () => {
+    expect(isTextMimeType("application/octet-stream", "script.py")).toBe(true);
+  });
+
+  test("application/octet-stream with .go filename is text", () => {
+    expect(isTextMimeType("application/octet-stream", "main.go")).toBe(true);
+  });
+
+  test("application/octet-stream with .rs filename is text", () => {
+    expect(isTextMimeType("application/octet-stream", "lib.rs")).toBe(true);
+  });
+
+  test("application/octet-stream with unknown extension is not text", () => {
+    expect(isTextMimeType("application/octet-stream", "data.bin")).toBe(false);
+  });
+
+  test("extension fallback only applies to application/octet-stream", () => {
+    // A binary plist has a specific MIME type — extension should not override it
+    expect(isTextMimeType("application/x-plist", "Info.plist")).toBe(false);
+  });
 });
 
 // ===========================================================================

package/src/runtime/routes/workspace-routes.ts

@@ -119,7 +119,7 @@ function handleWorkspaceFile(ctx: RouteContext): Response {
   }
 
   const mimeType = Bun.file(resolved).type;
-  const isText = isTextMimeType(mimeType);
+  const isText = isTextMimeType(mimeType, basename(resolved));
   const isBinary = !isText;
 
   let content: string | undefined = undefined;

package/src/runtime/routes/workspace-utils.ts

@@ -85,10 +85,94 @@ const TEXT_MIME_PREFIXES = [
   "application/x-yaml",
   "application/toml",
   "application/x-sh",
+  "application/x-httpd-php",
+  "application/x-perl",
+  "application/x-sql",
+  "application/x-tex",
+  "application/vnd.dart",
 ];
 
-export function isTextMimeType(mimeType: string): boolean {
-  return TEXT_MIME_PREFIXES.some((prefix) => mimeType.startsWith(prefix));
+/**
+ * File extensions that are known text/code files but that Bun's MIME
+ * detection reports as `application/octet-stream`.
+ */
+const TEXT_FILE_EXTENSIONS = new Set([
+  // Programming languages
+  "py",
+  "rb",
+  "go",
+  "rs",
+  "swift",
+  "kt",
+  "kts",
+  "cs",
+  "scala",
+  "ex",
+  "exs",
+  "erl",
+  "hs",
+  "clj",
+  "cljs",
+  "jl",
+  "zig",
+  "nim",
+  "v",
+  "sol",
+  "r",
+  "java",
+  "lua",
+  // Shell / scripting
+  "bash",
+  "zsh",
+  "fish",
+  "ps1",
+  "bat",
+  "cmd",
+  "awk",
+  // Web frameworks
+  "vue",
+  "svelte",
+  "scss",
+  "sass",
+  "less",
+  // Config / data
+  "cfg",
+  "conf",
+  "ini",
+  "properties",
+  "env",
+  "gradle",
+  "cmake",
+  // Markup / docs
+  "rst",
+  "adoc",
+  "org",
+  "tex",
+  "latex",
+  // Other text formats
+  "graphql",
+  "gql",
+  "proto",
+  "tf",
+  "hcl",
+  "diff",
+  "patch",
+  "log",
+  "lock",
+]);
+
+export function isTextMimeType(mimeType: string, fileName?: string): boolean {
+  if (TEXT_MIME_PREFIXES.some((prefix) => mimeType.startsWith(prefix))) {
+    return true;
+  }
+  // Only fall back to extension check when the MIME type is genuinely unknown.
+  // Specific MIME types (e.g. application/x-plist for binary plists) should be
+  // trusted over the extension — overriding them risks corrupting binary files.
+  if (fileName && mimeType === "application/octet-stream") {
+    const ext = fileName.split(".").pop()?.toLowerCase();
+    if (ext && TEXT_FILE_EXTENSIONS.has(ext)) return true;
+  }
+  return false;
 }
 
 export const MAX_INLINE_TEXT_SIZE = 2 * 1024 * 1024; // 2 MB

package/src/security/ces-credential-client.ts

@@ -16,11 +16,17 @@
  */
 
 import { getLogger } from "../util/logger.js";
-import type { CredentialBackend, DeleteResult } from "./credential-backend.js";
+import type {
+  CredentialBackend,
+  CredentialGetResult,
+  DeleteResult,
+} from "./credential-backend.js";
 
 const log = getLogger("ces-credential-client");
 
 const REQUEST_TIMEOUT_MS = 10_000;
+const SET_MAX_RETRIES = 3;
+const SET_RETRY_DELAY_MS = 2_000;
 
 // ---------------------------------------------------------------------------
 // Env helpers
@@ -77,49 +83,80 @@ export class CesCredentialBackend implements CredentialBackend {
     return !!getBaseUrl() && !!getServiceToken();
   }
 
-  async get(account: string): Promise<string | undefined> {
+  async get(account: string): Promise<CredentialGetResult> {
     try {
       const res = await cesRequest(
         "GET",
         `/v1/credentials/${encodeURIComponent(account)}`,
       );
-      if (!res) return undefined;
-      if (res.status === 404) return undefined;
+      if (!res) return { value: undefined, unreachable: true };
+      if (res.status === 404) return { value: undefined, unreachable: false };
       if (!res.ok) {
         log.warn(
           { account, status: res.status },
           "CES credential get returned non-OK status",
         );
-        return undefined;
+        return { value: undefined, unreachable: true };
       }
       const data = (await res.json()) as { value?: string };
-      return data.value;
+      return { value: data.value, unreachable: false };
     } catch (err) {
       log.warn({ err, account }, "CES credential get threw unexpectedly");
-      return undefined;
+      return { value: undefined, unreachable: true };
     }
   }
 
   async set(account: string, value: string): Promise<boolean> {
-    try {
-      const res = await cesRequest(
-        "POST",
-        `/v1/credentials/${encodeURIComponent(account)}`,
-        { value },
-      );
-      if (!res) return false;
-      if (!res.ok) {
-        log.warn(
-          { account, status: res.status },
-          "CES credential set returned non-OK status",
+    for (let attempt = 0; attempt < SET_MAX_RETRIES; attempt++) {
+      try {
+        const res = await cesRequest(
+          "POST",
+          `/v1/credentials/${encodeURIComponent(account)}`,
+          { value },
         );
+        if (!res) {
+          // CES not reachable or env vars missing — retry in case sidecar
+          // is still starting up after pod creation.
+          if (attempt < SET_MAX_RETRIES - 1) {
+            log.warn(
+              { account, attempt },
+              "CES credential set got no response, retrying",
+            );
+            await new Promise((r) => setTimeout(r, SET_RETRY_DELAY_MS));
+            continue;
+          }
+          return false;
+        }
+        if (!res.ok) {
+          if (attempt < SET_MAX_RETRIES - 1) {
+            log.warn(
+              { account, status: res.status, attempt },
+              "CES credential set returned non-OK status, retrying",
+            );
+            await new Promise((r) => setTimeout(r, SET_RETRY_DELAY_MS));
+            continue;
+          }
+          log.warn(
+            { account, status: res.status },
+            "CES credential set returned non-OK status",
+          );
+          return false;
+        }
+        return true;
+      } catch (err) {
+        if (attempt < SET_MAX_RETRIES - 1) {
+          log.warn(
+            { err, account, attempt },
+            "CES credential set threw, retrying",
+          );
+          await new Promise((r) => setTimeout(r, SET_RETRY_DELAY_MS));
+          continue;
+        }
+        log.warn({ err, account }, "CES credential set threw unexpectedly");
         return false;
       }
-      return true;
-    } catch (err) {
-      log.warn({ err, account }, "CES credential set threw unexpectedly");
-      return false;
     }
+    return false;
   }
 
   async delete(account: string): Promise<DeleteResult> {

package/src/security/ces-rpc-credential-backend.ts

@@ -0,0 +1,85 @@
+/**
+ * CesRpcCredentialBackend — a CredentialBackend that delegates all credential
+ * operations to the Credential Execution Service (CES) via stdio RPC.
+ *
+ * Maps RPC responses to the existing CredentialGetResult and DeleteResult
+ * types. Errors are caught and mapped to unreachable/error states for
+ * graceful fallback.
+ */
+
+import { CesRpcMethod } from "@vellumai/ces-contracts";
+
+import type { CesClient } from "../credential-execution/client.js";
+import { getLogger } from "../util/logger.js";
+import type {
+  CredentialBackend,
+  CredentialGetResult,
+  DeleteResult,
+} from "./credential-backend.js";
+
+const log = getLogger("ces-rpc-credential-backend");
+
+export class CesRpcCredentialBackend implements CredentialBackend {
+  readonly name = "ces-rpc";
+
+  constructor(private readonly client: CesClient) {}
+
+  isAvailable(): boolean {
+    return this.client.isReady();
+  }
+
+  async get(account: string): Promise<CredentialGetResult> {
+    try {
+      const result = await this.client.call(
+        CesRpcMethod.GetCredential,
+        { account },
+      );
+      return {
+        value: result.found ? result.value : undefined,
+        unreachable: false,
+      };
+    } catch (err) {
+      log.warn({ err, account }, "CES RPC credential get failed");
+      return { value: undefined, unreachable: true };
+    }
+  }
+
+  async set(account: string, value: string): Promise<boolean> {
+    try {
+      const result = await this.client.call(
+        CesRpcMethod.SetCredential,
+        { account, value },
+      );
+      return result.ok;
+    } catch (err) {
+      log.warn({ err, account }, "CES RPC credential set failed");
+      return false;
+    }
+  }
+
+  async delete(account: string): Promise<DeleteResult> {
+    try {
+      const result = await this.client.call(
+        CesRpcMethod.DeleteCredential,
+        { account },
+      );
+      return result.result;
+    } catch (err) {
+      log.warn({ err, account }, "CES RPC credential delete failed");
+      return "error";
+    }
+  }
+
+  async list(): Promise<string[]> {
+    try {
+      const result = await this.client.call(
+        CesRpcMethod.ListCredentials,
+        {},
+      );
+      return result.accounts;
+    } catch (err) {
+      log.warn({ err }, "CES RPC credential list failed");
+      return [];
+    }
+  }
+}

package/src/security/credential-backend.ts

@@ -1,15 +1,10 @@
 /**
  * CredentialBackend interface and adapters — abstracts credential storage
  * behind a unified async API so callers don't need to know which backend
- * (macOS Keychain, encrypted file store, etc.) is in use.
+ * is in use.
  */
 
-import { getLogger } from "../util/logger.js";
 import * as encryptedStore from "./encrypted-store.js";
-import type { KeychainBrokerClient } from "./keychain-broker-client.js";
-import { createBrokerClient } from "./keychain-broker-client.js";
-
-const log = getLogger("credential-backend");
 
 // ---------------------------------------------------------------------------
 // Types
@@ -18,6 +13,12 @@ const log = getLogger("credential-backend");
 /** Result of a delete operation — distinguishes success, not-found, and error. */
 export type DeleteResult = "deleted" | "not-found" | "error";
 
+/** Result of a get operation — distinguishes unreachable from not-found. */
+export interface CredentialGetResult {
+  value: string | undefined;
+  unreachable: boolean;
+}
+
 // ---------------------------------------------------------------------------
 // Interface
 // ---------------------------------------------------------------------------
@@ -29,8 +30,8 @@ export interface CredentialBackend {
   /** Whether this backend is currently reachable. Sync and cheap. */
   isAvailable(): boolean;
 
-  /** Retrieve a secret. Returns undefined if not found or on error. */
-  get(account: string): Promise<string | undefined>;
+  /** Retrieve a secret. Returns a result distinguishing unreachable from not-found. */
+  get(account: string): Promise<CredentialGetResult>;
 
   /** Store a secret. Returns true on success. */
   set(account: string, value: string): Promise<boolean>;
@@ -42,79 +43,6 @@ export interface CredentialBackend {
   list(): Promise<string[]>;
 }
 
-// ---------------------------------------------------------------------------
-// KeychainBackend
-// ---------------------------------------------------------------------------
-
-export class KeychainBackend implements CredentialBackend {
-  readonly name = "keychain";
-
-  constructor(private readonly client: KeychainBrokerClient) {}
-
-  isAvailable(): boolean {
-    return this.client.isAvailable();
-  }
-
-  async get(account: string): Promise<string | undefined> {
-    try {
-      const result = await this.client.get(account);
-      if (result == null) {
-        log.warn(
-          { account },
-          "Keychain broker unreachable during get — falling back",
-        );
-        return undefined;
-      }
-      if (!result.found) return undefined;
-      return result.value;
-    } catch (err) {
-      log.warn({ err, account }, "Keychain get threw unexpectedly");
-      return undefined;
-    }
-  }
-
-  async set(account: string, value: string): Promise<boolean> {
-    try {
-      const result = await this.client.set(account, value);
-      if (result.status === "ok") return true;
-      log.warn(
-        {
-          account,
-          status: result.status,
-          ...(result.status === "rejected"
-            ? { code: result.code, message: result.message }
-            : {}),
-        },
-        "Keychain broker set failed",
-      );
-      return false;
-    } catch (err) {
-      log.warn({ err, account }, "Keychain set threw unexpectedly");
-      return false;
-    }
-  }
-
-  async delete(account: string): Promise<DeleteResult> {
-    try {
-      const ok = await this.client.del(account);
-      // The keychain broker returns a boolean — it does not distinguish
-      // "not found" from a genuine error, so we map false → "error".
-      return ok ? "deleted" : "error";
-    } catch {
-      return "error";
-    }
-  }
-
-  async list(): Promise<string[]> {
-    try {
-      return await this.client.list();
-    } catch (err) {
-      log.warn({ err }, "Keychain list threw unexpectedly");
-      return [];
-    }
-  }
-}
-
 // ---------------------------------------------------------------------------
 // EncryptedStoreBackend
 // ---------------------------------------------------------------------------
@@ -126,11 +54,11 @@ export class EncryptedStoreBackend implements CredentialBackend {
     return true;
   }
 
-  async get(account: string): Promise<string | undefined> {
+  async get(account: string): Promise<CredentialGetResult> {
     try {
-      return encryptedStore.getKey(account);
+      return { value: encryptedStore.getKey(account), unreachable: false };
     } catch {
-      return undefined;
+      return { value: undefined, unreachable: false };
     }
   }
 
@@ -163,10 +91,6 @@ export class EncryptedStoreBackend implements CredentialBackend {
 // Factory functions
 // ---------------------------------------------------------------------------
 
-export function createKeychainBackend(): KeychainBackend {
-  return new KeychainBackend(createBrokerClient());
-}
-
 export function createEncryptedStoreBackend(): EncryptedStoreBackend {
   return new EncryptedStoreBackend();
 }