@vellumai/assistant 0.5.6 → 0.5.8

package/src/notifications/adapters/slack.ts

@@ -13,7 +13,12 @@ import { mintDaemonDeliveryToken } from "../../runtime/auth/token-service.js";
 import { deliverChannelReply } from "../../runtime/gateway-client.js";
 import { getLogger } from "../../util/logger.js";
 import { isConversationSeedSane } from "../conversation-seed-composer.js";
-import { nonEmpty } from "../copy-composer.js";
+import {
+  buildAccessRequestIdentityLine,
+  buildAccessRequestInviteDirective,
+  nonEmpty,
+  sanitizeIdentityField,
+} from "../copy-composer.js";
 import type {
   ChannelAdapter,
   ChannelDeliveryPayload,
@@ -41,6 +46,149 @@ function resolveSlackMessageText(payload: ChannelDeliveryPayload): string {
   return payload.sourceEventName.replace(/[._]/g, " ");
 }
 
+// ---------------------------------------------------------------------------
+// Block Kit helpers for access request notifications
+// ---------------------------------------------------------------------------
+
+/**
+ * Build Block Kit blocks for an access request notification.
+ *
+ * Returns an array of Slack Block Kit block objects with structured layout:
+ * - Header: "New access request"
+ * - Section: requester identity details
+ * - Optional context: message preview
+ * - Context: approval code instructions + invite directive
+ */
+export function buildAccessRequestBlocks(
+  payload: Record<string, unknown>,
+): unknown[] {
+  const blocks: unknown[] = [];
+
+  // Header
+  blocks.push({
+    type: "header",
+    text: { type: "plain_text", text: "New access request", emoji: true },
+  });
+
+  // Requester identity section
+  const identityLine = buildAccessRequestIdentityLine(payload);
+  blocks.push({
+    type: "section",
+    text: { type: "mrkdwn", text: identityLine },
+  });
+
+  // Build fields for structured requester details
+  const fields: Array<{ type: "mrkdwn"; text: string }> = [];
+
+  const senderIdentifier = nonEmpty(
+    typeof payload.senderIdentifier === "string"
+      ? sanitizeIdentityField(payload.senderIdentifier)
+      : undefined,
+  );
+  if (senderIdentifier) {
+    fields.push({ type: "mrkdwn", text: `*Name:*\n${senderIdentifier}` });
+  }
+
+  const actorUsername = nonEmpty(
+    typeof payload.actorUsername === "string"
+      ? sanitizeIdentityField(payload.actorUsername)
+      : undefined,
+  );
+  if (actorUsername) {
+    fields.push({ type: "mrkdwn", text: `*Username:*\n@${actorUsername}` });
+  }
+
+  const sourceChannel = nonEmpty(
+    typeof payload.sourceChannel === "string"
+      ? payload.sourceChannel
+      : undefined,
+  );
+  if (sourceChannel) {
+    fields.push({ type: "mrkdwn", text: `*Channel:*\n${sourceChannel}` });
+  }
+
+  const actorExternalId = nonEmpty(
+    typeof payload.actorExternalId === "string"
+      ? sanitizeIdentityField(payload.actorExternalId)
+      : undefined,
+  );
+  if (actorExternalId && actorExternalId !== senderIdentifier) {
+    fields.push({ type: "mrkdwn", text: `*ID:*\n${actorExternalId}` });
+  }
+
+  if (fields.length > 0) {
+    blocks.push({
+      type: "section",
+      fields,
+    });
+  }
+
+  // Previously revoked warning
+  const previousMemberStatus =
+    typeof payload.previousMemberStatus === "string"
+      ? payload.previousMemberStatus
+      : undefined;
+  if (previousMemberStatus === "revoked") {
+    blocks.push({
+      type: "context",
+      elements: [
+        {
+          type: "mrkdwn",
+          text: ":warning: This user was previously revoked.",
+        },
+      ],
+    });
+  }
+
+  // Divider before instructions
+  blocks.push({ type: "divider" });
+
+  // Approval code instructions
+  const requestCode = nonEmpty(
+    typeof payload.requestCode === "string" ? payload.requestCode : undefined,
+  );
+  if (requestCode) {
+    const code = requestCode.toUpperCase();
+    blocks.push({
+      type: "section",
+      text: {
+        type: "mrkdwn",
+        text: `Reply *\`${code} approve\`* to grant access or *\`${code} reject\`* to deny.`,
+      },
+    });
+  }
+
+  // Invite directive
+  const inviteDirective = buildAccessRequestInviteDirective();
+  blocks.push({
+    type: "context",
+    elements: [{ type: "mrkdwn", text: inviteDirective }],
+  });
+
+  // Guardian verification note
+  const guardianResolutionSource =
+    typeof payload.guardianResolutionSource === "string"
+      ? payload.guardianResolutionSource
+      : undefined;
+  if (
+    (guardianResolutionSource === "vellum-anchor" ||
+      guardianResolutionSource === "none") &&
+    sourceChannel
+  ) {
+    blocks.push({
+      type: "context",
+      elements: [
+        {
+          type: "mrkdwn",
+          text: `_You haven't verified your identity on ${sourceChannel} yet. If this was you trying to message your assistant, say "help me verify as guardian on ${sourceChannel}" to set up direct access._`,
+        },
+      ],
+    });
+  }
+
+  return blocks;
+}
+
 export class SlackAdapter implements ChannelAdapter {
   readonly channel: NotificationChannel = "slack";
 
@@ -65,12 +213,26 @@ export class SlackAdapter implements ChannelAdapter {
 
     const messageText = resolveSlackMessageText(payload);
 
+    // Build Block Kit blocks for access request notifications
+    const isAccessRequest =
+      payload.sourceEventName === "ingress.access_request" &&
+      payload.contextPayload != null;
+
     try {
-      await deliverChannelReply(
-        deliverUrl,
-        { chatId, text: messageText, useBlocks: true },
-        mintDaemonDeliveryToken(),
-      );
+      if (isAccessRequest) {
+        const blocks = buildAccessRequestBlocks(payload.contextPayload!);
+        await deliverChannelReply(
+          deliverUrl,
+          { chatId, text: messageText, blocks },
+          mintDaemonDeliveryToken(),
+        );
+      } else {
+        await deliverChannelReply(
+          deliverUrl,
+          { chatId, text: messageText, useBlocks: true },
+          mintDaemonDeliveryToken(),
+        );
+      }
 
       log.info(
         { sourceEventName: payload.sourceEventName, chatId },

package/src/notifications/broadcaster.ts

@@ -271,6 +271,7 @@ export class NotificationBroadcaster {
         sourceEventName: signal.sourceEventName,
         copy,
         deepLinkTarget,
+        contextPayload: signal.contextPayload,
       };
 
       // Compute conversation decision audit fields for the delivery record

package/src/notifications/copy-composer.ts

@@ -99,7 +99,14 @@ export function buildAccessRequestIdentityLine(
   const sanitizedExternalId = actorExternalId
     ? sanitizeIdentityField(actorExternalId)
     : undefined;
-  const parts = [requester];
+  // When the requester is a raw Slack user ID (e.g. the fallback path in
+  // access-request-helper sets senderIdentifier to the raw actorExternalId),
+  // format it as a Slack mention so it renders as a clickable display name.
+  const formattedRequester =
+    sourceChannel === "slack" && /^U[A-Z0-9]+$/i.test(requester)
+      ? `<@${requester}>`
+      : requester;
+  const parts = [formattedRequester];
   if (sanitizedUsername && sanitizedUsername !== requester) {
     parts.push(`@${sanitizedUsername}`);
   }
@@ -108,7 +115,13 @@ export function buildAccessRequestIdentityLine(
     sanitizedExternalId !== requester &&
     sanitizedExternalId !== sanitizedUsername
   ) {
-    parts.push(`[${sanitizedExternalId}]`);
+    // For Slack, use the <@U...> mention format so Slack auto-renders
+    // the user ID as a clickable display name.
+    const formattedId =
+      sourceChannel === "slack" && /^U[A-Z0-9]+$/i.test(sanitizedExternalId)
+        ? `<@${sanitizedExternalId}>`
+        : `[${sanitizedExternalId}]`;
+    parts.push(formattedId);
   }
   if (sourceChannel) {
     parts.push(`via ${sourceChannel}`);
@@ -117,6 +130,46 @@ export function buildAccessRequestIdentityLine(
   return `${parts.join(" ")} is requesting access to the assistant.`;
 }
 
+export const MESSAGE_PREVIEW_MAX_LENGTH = 200;
+
+/**
+ * Sanitize an untrusted message preview for inclusion in notification copy.
+ *
+ * Like {@link sanitizeIdentityField} but uses the higher
+ * MESSAGE_PREVIEW_MAX_LENGTH limit (200 chars) instead of the identity
+ * field limit (120 chars).
+ */
+export function sanitizeMessagePreview(value: string): string {
+  const stripped = value.replace(/[\x00-\x1f\x7f-\x9f\r\n]+/g, " ").trim();
+  const clamped =
+    stripped.length > MESSAGE_PREVIEW_MAX_LENGTH
+      ? stripped.slice(0, MESSAGE_PREVIEW_MAX_LENGTH) + "…"
+      : stripped;
+  return clamped;
+}
+
+/**
+ * Build a quoted preview of the requester's original message for inclusion
+ * in guardian-facing access-request copy. Sanitizes and truncates to keep
+ * the notification concise.
+ *
+ * Returns `undefined` when no usable preview is available.
+ */
+export function buildAccessRequestMessagePreview(
+  payload: Record<string, unknown>,
+): string | undefined {
+  const raw =
+    typeof payload.messagePreview === "string"
+      ? payload.messagePreview
+      : undefined;
+  if (!raw) return undefined;
+
+  const sanitized = sanitizeMessagePreview(raw);
+  if (sanitized.length === 0) return undefined;
+
+  return `> Their message: "${sanitized}"`;
+}
+
 export function buildAccessRequestInviteDirective(): string {
   return 'Reply "open invite flow" to start Trusted Contacts invite flow.';
 }
@@ -227,6 +280,10 @@ export function buildAccessRequestContractText(
 
   const lines: string[] = [];
   lines.push(buildAccessRequestIdentityLine(payload));
+  const preview = buildAccessRequestMessagePreview(payload);
+  if (preview) {
+    lines.push(preview);
+  }
   if (previousMemberStatus === "revoked") {
     lines.push("Note: this user was previously revoked.");
   }

package/src/notifications/decision-engine.ts

@@ -13,6 +13,7 @@ import { v4 as uuid } from "uuid";
 
 import { getDeliverableChannels } from "../channels/config.js";
 import { getConfig } from "../config/loader.js";
+import { resolveGuardianPersona } from "../prompts/persona-resolver.js";
 import { buildCoreIdentityContext } from "../prompts/system-prompt.js";
 import {
   createTimeout,
@@ -800,7 +801,9 @@ async function classifyWithLLM(
   const candidateContext = candidateSet
     ? (serializeCandidatesForPrompt(candidateSet) ?? undefined)
     : undefined;
-  const rawIdentityContext = buildCoreIdentityContext();
+  const rawIdentityContext = buildCoreIdentityContext({
+    userPersona: resolveGuardianPersona(),
+  });
   const identityContext = rawIdentityContext
     ? truncate(rawIdentityContext, MAX_IDENTITY_CONTEXT_CHARS, "\n…[truncated]")
     : undefined;

package/src/notifications/signal.ts

@@ -151,6 +151,8 @@ export interface AccessRequestContextPayload {
   guardianBindingChannel: string | null;
   guardianResolutionSource: GuardianResolutionSource;
   previousMemberStatus: string | null;
+  /** Preview of the requester's original message (first ~200 chars). */
+  messagePreview: string | null;
 }
 
 export interface NotificationEventContextPayloadMap {

package/src/notifications/types.ts

@@ -79,6 +79,8 @@ export interface ChannelDeliveryPayload {
   sourceEventName: string;
   copy: RenderedChannelCopy;
   deepLinkTarget?: Record<string, unknown>;
+  /** Original signal context payload — available for channel-specific structured rendering. */
+  contextPayload?: Record<string, unknown>;
 }
 
 /** Interface that each channel adapter must implement. */

package/src/oauth/connection-resolver.ts

@@ -156,10 +156,12 @@ async function resolvePlatformConnectionId(
     );
   }
 
-  const body = (await response.json()) as {
-    results?: Array<{ id: string; account_label?: string }>;
-  };
-  const connections = body.results ?? [];
+  const body = (await response.json()) as unknown;
+  const connections = (
+    Array.isArray(body)
+      ? body
+      : ((body as Record<string, unknown>).results ?? [])
+  ) as Array<{ id: string; account_label?: string }>;
 
   if (connections.length === 0) {
     throw new Error(

package/src/permissions/checker.ts

@@ -147,7 +147,6 @@ const LOW_RISK_PROGRAMS = new Set([
   "du",
   "df",
   "assistant",
-  "vellum",
 ]);
 
 // High-risk shell programs / patterns
@@ -201,32 +200,6 @@ const LOW_RISK_GIT_SUBCOMMANDS = new Set([
   "reflog",
 ]);
 
-// Mutating assistant/vellum CLI subcommands that should be escalated to Medium
-// risk. Most assistant/vellum subcommands are read-only and stay Low risk.
-// This mirrors the git subcommand pattern — only known mutating operations
-// get escalated.
-const MEDIUM_RISK_CLI_SUBCOMMANDS = new Set([
-  "credentials",
-  "config",
-  "bash",
-  "trust",
-  "autonomy",
-  "contacts",
-  "mcp",
-  "keys",
-  "wake",
-  "sleep",
-  "hatch",
-  "retire",
-  "clean",
-  "setup",
-  "upgrade",
-  "recover",
-  "login",
-  "use",
-  "pair",
-]);
-
 // Commands that wrap another program — the real program appears as the first
 // non-flag argument.  When one of these is the segment program we look through
 // its args to find the effective program (e.g. `env curl …` → curl).
@@ -771,17 +744,6 @@ async function classifyRiskUncached(
         continue;
       }
 
-      if (prog === "vellum" || prog === "assistant") {
-        const subcommand = firstPositionalArg(seg.args);
-        if (subcommand && MEDIUM_RISK_CLI_SUBCOMMANDS.has(subcommand)) {
-          // Known mutating subcommands are medium
-          maxRisk = RiskLevel.Medium;
-          continue;
-        }
-        // Read-only / unknown subcommands stay at current risk
-        continue;
-      }
-
       if (!LOW_RISK_PROGRAMS.has(prog)) {
         // Unknown program → medium
         if (maxRisk === RiskLevel.Low) {

package/src/permissions/shell-identity.ts

@@ -105,8 +105,10 @@ export async function analyzeShellCommand(
  *   - action:gh pr
  *   - action:gh
  *
- * Only "simple action" commands (optional setup prefix + one action) get
- * action keys. Pipelines and complex chains are marked non-simple.
+ * Simple actions (optional setup prefix + one action) and pipelines get
+ * action keys. Both are marked non-simple when they involve pipes, but
+ * pipelines extract keys from the first segment before the first pipe.
+ * Complex chains (semicolons, ||, &, newlines) get no action keys.
  */
 export function deriveShellActionKeys(
   analysis: ShellIdentityAnalysis,
@@ -117,18 +119,22 @@ export function deriveShellActionKeys(
     return { keys: [], isSimpleAction: false };
   }
 
-  // For multi-segment commands, only allow simple-action classification if
-  // ALL inter-segment operators are explicitly &&. Any other operator (|, ||,
-  // ;, &, empty/missing) means the separator is unknown or unsafe.
-  // This safely handles cases where the parser doesn't capture certain
-  // separators (;, newline, &) and leaves them as empty operators.
+  // For multi-segment commands, check operators to determine the command shape.
+  // Pipes (|) get special handling — we can extract action keys from the first
+  // segment before the pipe. Other complex operators (||, ;, &, empty/missing)
+  // are truly opaque and get no action keys.
   if (segments.length > 1) {
+    let hasPipe = false;
+
     for (const seg of segments) {
       const op = seg.operator;
-      // Non-empty operator that isn't && → definitely complex
-      if (op && op !== "&&") {
+      // Non-empty operator that isn't && or | → definitely complex, no keys
+      if (op && op !== "&&" && op !== "|") {
         return { keys: [], isSimpleAction: false };
       }
+      if (op === "|") {
+        hasPipe = true;
+      }
     }
     // Also check: if there are multiple segments but no operators at all
     // between them (e.g. newline-separated), that's suspicious.
@@ -140,6 +146,42 @@ export function deriveShellActionKeys(
         return { keys: [], isSimpleAction: false };
       }
     }
+
+    // For pipelines, extract action keys from the first non-setup-prefix segment
+    // before the first pipe. This enables broader "Any pdftotext command" rules
+    // that match pipelines like "pdftotext file | head -100".
+    if (hasPipe) {
+      const firstPipeIndex = segments.findIndex((s) => s.operator === "|");
+      if (firstPipeIndex > 0) {
+        const preSegments = segments.slice(0, firstPipeIndex);
+        const actionSegs = preSegments.filter(
+          (s) => !SETUP_PREFIX_PROGRAMS.has(s.program),
+        );
+        if (actionSegs.length === 1) {
+          const seg = actionSegs[0];
+          const tokens: string[] = [seg.program];
+          for (const arg of seg.args) {
+            if (tokens.length >= MAX_ACTION_KEY_DEPTH) break;
+            if (arg.startsWith("-")) continue;
+            if (arg.includes("/") || arg.startsWith(".")) continue;
+            if (/^\d+$/.test(arg)) continue;
+            if (arg.includes("$") || arg.includes('"') || arg.includes("'"))
+              continue;
+            tokens.push(arg);
+          }
+          const keys: ShellActionKey[] = [];
+          for (let depth = tokens.length; depth >= 1; depth--) {
+            keys.push({
+              key: `action:${tokens.slice(0, depth).join(" ")}`,
+              depth,
+            });
+          }
+          return { keys, isSimpleAction: false, primarySegment: seg };
+        }
+      }
+      // Pipeline but couldn't extract a single primary action — no keys
+      return { keys: [], isSimpleAction: false };
+    }
   }
 
   // Separate setup-prefix segments from action segments
@@ -190,9 +232,10 @@ export function deriveShellActionKeys(
  * Candidate ordering:
  *   1. Raw command (most specific match — the full command as written)
  *   2. Canonical primary command (if simple action) — the full primary segment text
- *   3. Action keys from narrowest to broadest (if simple action)
+ *   3. Action keys from narrowest to broadest (if simple action or pipeline)
  *
- * Complex commands (pipelines, multi-action chains) only return the raw candidate.
+ * Complex non-pipeline commands (multi-action chains, semicolons, etc.) only
+ * return the raw candidate.
  */
 export async function buildShellCommandCandidates(
   command: string,
@@ -206,14 +249,15 @@ export async function buildShellCommandCandidates(
 
   const candidates: string[] = [trimmed];
 
-  if (actionResult.isSimpleAction && actionResult.primarySegment) {
-    // Add canonical primary command text (the actual segment, not the full command with setup prefixes)
-    const canonical = actionResult.primarySegment.command;
-    if (canonical !== trimmed) {
-      candidates.push(canonical);
+  // Add action keys as candidates if available (simple actions AND pipelines)
+  if (actionResult.keys.length > 0) {
+    // For simple actions, also add the canonical primary command text
+    if (actionResult.isSimpleAction && actionResult.primarySegment) {
+      const canonical = actionResult.primarySegment.command;
+      if (canonical !== trimmed) {
+        candidates.push(canonical);
+      }
     }
-
-    // Add action keys
     for (const actionKey of actionResult.keys) {
       candidates.push(actionKey.key);
     }
@@ -231,8 +275,9 @@ export async function buildShellCommandCandidates(
  *   2. Deepest action key (e.g. "action:gh pr view")
  *   3. Broader action keys (e.g. "action:gh pr", "action:gh")
  *
- * For complex commands (pipelines, multi-action chains), only the exact
- * command is offered (no broad options).
+ * For pipelines, the exact command plus action-key-based broader options
+ * are offered. For other complex commands (multi-action chains, semicolons,
+ * etc.), only the exact command is offered.
  */
 export async function buildShellAllowlistOptions(
   command: string,
@@ -244,14 +289,23 @@ export async function buildShellAllowlistOptions(
   const actionResult = deriveShellActionKeys(analysis);
 
   if (!actionResult.isSimpleAction || !actionResult.primarySegment) {
-    // Complex command — exact only
-    return [
+    const options: AllowlistOption[] = [
       {
         label: trimmed,
         description: "This exact compound command",
         pattern: trimmed,
       },
     ];
+    // If pipeline action keys were extracted, offer them as broader options
+    for (const actionKey of actionResult.keys) {
+      const keyTokens = actionKey.key.replace(/^action:/, "");
+      options.push({
+        label: `${keyTokens} *`,
+        description: `Any "${keyTokens}" command`,
+        pattern: actionKey.key,
+      });
+    }
+    return options;
   }
 
   const options: AllowlistOption[] = [];

package/src/permissions/types.ts

@@ -24,7 +24,8 @@ export type UserDecision =
   | "always_allow_high_risk"
   | "deny"
   | "always_deny"
-  | "temporary_override";
+  | "temporary_override"
+  | "dangerously_skip_permissions";
 
 /** Returns true for any allow-variant decision. Centralizes the check to prevent omissions when new allow variants are added. */
 export function isAllowDecision(decision: UserDecision): boolean {
@@ -34,7 +35,8 @@ export function isAllowDecision(decision: UserDecision): boolean {
     decision === "allow_conversation" ||
     decision === "always_allow" ||
     decision === "always_allow_high_risk" ||
-    decision === "temporary_override"
+    decision === "temporary_override" ||
+    decision === "dangerously_skip_permissions"
   );
 }
 

package/src/platform/client.ts

@@ -7,6 +7,8 @@
 
 import { getPlatformAssistantId } from "../config/env.js";
 import { resolveManagedProxyContext } from "../providers/managed-proxy/context.js";
+import { credentialKey } from "../security/credential-key.js";
+import { getSecureKeyAsync } from "../security/secure-keys.js";
 
 export class VellumPlatformClient {
   private readonly platformBaseUrl: string;
@@ -26,21 +28,47 @@ export class VellumPlatformClient {
   /**
    * Create a platform client by resolving managed proxy context.
    *
+   * First tries the in-memory managed proxy context (available when the daemon
+   * has rehydrated env overrides). Falls back to reading platform credentials
+   * directly from the secure keychain so that standalone CLI invocations work
+   * without the daemon having run its rehydration step.
+   *
    * Returns `null` when auth prerequisites are missing (not logged in, no API
    * key). The assistant ID is resolved but not required — callers that need it
    * should check `platformAssistantId` themselves.
    */
   static async create(): Promise<VellumPlatformClient | null> {
     const ctx = await resolveManagedProxyContext();
-    if (!ctx.enabled) return null;
 
-    const assistantId = getPlatformAssistantId();
+    let baseUrl = ctx.enabled ? ctx.platformBaseUrl : "";
+    let apiKey = ctx.enabled ? ctx.assistantApiKey : "";
+    let assistantId = getPlatformAssistantId();
+
+    // Fall back to keychain for values not yet rehydrated (standalone CLI).
+    if (!baseUrl) {
+      baseUrl =
+        (await getSecureKeyAsync(
+          credentialKey("vellum", "platform_base_url"),
+        )) ?? "";
+    }
+    if (!apiKey) {
+      apiKey =
+        (await getSecureKeyAsync(
+          credentialKey("vellum", "assistant_api_key"),
+        )) ?? "";
+    }
+    if (!assistantId) {
+      assistantId =
+        (
+          await getSecureKeyAsync(
+            credentialKey("vellum", "platform_assistant_id"),
+          )
+        )?.trim() ?? "";
+    }
+
+    if (!baseUrl || !apiKey) return null;
 
-    return new VellumPlatformClient(
-      ctx.platformBaseUrl,
-      ctx.assistantApiKey,
-      assistantId,
-    );
+    return new VellumPlatformClient(baseUrl, apiKey, assistantId);
   }
 
   /**