@vellumai/assistant 0.5.6 → 0.5.8

package/src/providers/registry.ts

@@ -1,8 +1,6 @@
-import { wrapWithLogfire } from "../logfire.js";
 import { getProviderKeyAsync } from "../security/secure-keys.js";
-import { ConfigError, ProviderNotConfiguredError } from "../util/errors.js";
+import { ProviderNotConfiguredError } from "../util/errors.js";
 import { AnthropicProvider } from "./anthropic/client.js";
-import { FailoverProvider, type ProviderHealthStatus } from "./failover.js";
 import { FireworksProvider } from "./fireworks/client.js";
 import { GeminiProvider } from "./gemini/client.js";
 import {
@@ -18,8 +16,6 @@ import type { Provider } from "./types.js";
 
 const providers = new Map<string, Provider>();
 const routingSources = new Map<string, "user-key" | "managed-proxy">();
-let cachedFailoverProvider: FailoverProvider | null = null;
-let cachedFailoverKey: string | null = null;
 
 export function registerProvider(name: string, provider: Provider): void {
   providers.set(name, provider);
@@ -28,95 +24,11 @@ export function registerProvider(name: string, provider: Provider): void {
 export function getProvider(name: string): Provider {
   const provider = providers.get(name);
   if (!provider) {
-    throw new ConfigError(
-      `Provider "${name}" not found. Available: ${listProviders().join(", ")}`,
-    );
+    throw new ProviderNotConfiguredError(name, listProviders());
   }
   return provider;
 }
 
-export interface ProviderSelection {
-  /** Ordered list of available provider names */
-  availableProviders: string[];
-  /** The selected (effective) primary provider name, or null if none available */
-  selectedPrimary: string | null;
-  /** Whether the effective primary differs from the requested primary */
-  usedFallbackPrimary: boolean;
-}
-
-/**
- * Resolve provider selection from requested primary and provider order.
- * Dedupes [requestedPrimary, ...providerOrder], filtered to initialized providers.
- * Returns null selectedPrimary when no providers are available.
- */
-export function resolveProviderSelection(
-  requestedPrimary: string,
-  providerOrder: string[],
-): ProviderSelection {
-  const ordered: string[] = [];
-  const seen = new Set<string>();
-
-  for (const name of [requestedPrimary, ...providerOrder]) {
-    if (seen.has(name)) continue;
-    seen.add(name);
-    if (providers.has(name)) {
-      ordered.push(name);
-    }
-  }
-
-  if (ordered.length === 0) {
-    return {
-      availableProviders: [],
-      selectedPrimary: null,
-      usedFallbackPrimary: false,
-    };
-  }
-
-  return {
-    availableProviders: ordered,
-    selectedPrimary: ordered[0],
-    usedFallbackPrimary: ordered[0] !== requestedPrimary,
-  };
-}
-
-/**
- * Build a provider that tries the effective primary provider first, then falls
- * back to others in the configured order. If the requested primary is not
- * available, automatically selects the first available provider from the
- * deduped [primaryName, ...providerOrder] list (fail-open).
- *
- * Throws ConfigError only when NO providers are available at all.
- * Caches the FailoverProvider instance so health state persists across calls.
- */
-export function getFailoverProvider(
-  primaryName: string,
-  providerOrder: string[],
-): Provider {
-  const selection = resolveProviderSelection(primaryName, providerOrder);
-
-  if (!selection.selectedPrimary) {
-    throw new ProviderNotConfiguredError(primaryName, listProviders());
-  }
-
-  const orderedProviders: Provider[] = selection.availableProviders.map(
-    (name) => providers.get(name)!,
-  );
-
-  if (orderedProviders.length === 1) {
-    return orderedProviders[0];
-  }
-
-  // Cache key from effective ordered providers (not raw input strings)
-  const cacheKey = selection.availableProviders.join(",");
-  if (cachedFailoverProvider && cachedFailoverKey === cacheKey) {
-    return cachedFailoverProvider;
-  }
-
-  cachedFailoverProvider = new FailoverProvider(orderedProviders);
-  cachedFailoverKey = cacheKey;
-  return cachedFailoverProvider;
-}
-
 export function listProviders(): string[] {
   return Array.from(providers.keys());
 }
@@ -152,7 +64,6 @@ export interface ProvidersConfig {
       provider: string;
     };
   };
-  providerOrder?: string[];
   timeouts?: { providerStreamTimeoutSec?: number };
 }
 
@@ -173,53 +84,6 @@ function resolveModel(config: ProvidersConfig, providerName: string): string {
   return getProviderDefaultModel(providerName);
 }
 
-export interface ProviderDebugStatus {
-  configuredPrimary: string;
-  activePrimary: string | null;
-  usedFallback: boolean;
-  registeredProviders: string[];
-  failoverHealth: ProviderHealthStatus[] | null;
-  overallHealth: "healthy" | "degraded" | "down";
-  routingSources: Record<string, "user-key" | "managed-proxy">;
-}
-
-export function getProviderDebugStatus(
-  configuredProvider: string,
-  providerOrder: string[],
-): ProviderDebugStatus {
-  const registered = listProviders();
-  const selection = resolveProviderSelection(configuredProvider, providerOrder);
-
-  let failoverHealth: ProviderHealthStatus[] | null = null;
-  if (cachedFailoverProvider) {
-    failoverHealth = cachedFailoverProvider.getHealthStatus();
-  }
-
-  let overallHealth: "healthy" | "degraded" | "down" = "down";
-  if (registered.length > 0 && selection.selectedPrimary) {
-    if (!failoverHealth) {
-      overallHealth = "healthy";
-    } else {
-      const healthyCount = failoverHealth.filter((h) => h.healthy).length;
-      if (healthyCount === failoverHealth.length) {
-        overallHealth = "healthy";
-      } else if (healthyCount > 0) {
-        overallHealth = "degraded";
-      }
-    }
-  }
-
-  return {
-    configuredPrimary: configuredProvider,
-    activePrimary: selection.selectedPrimary,
-    usedFallback: selection.usedFallbackPrimary,
-    registeredProviders: registered,
-    failoverHealth,
-    overallHealth,
-    routingSources: Object.fromEntries(routingSources),
-  };
-}
-
 /**
  * Resolve provider credentials using mode-aware logic.
  * In "managed" mode, routes through the platform proxy.
@@ -274,8 +138,6 @@ export async function initializeProviders(
 ): Promise<void> {
   providers.clear();
   routingSources.clear();
-  cachedFailoverProvider = null;
-  cachedFailoverKey = null;
 
   const streamTimeoutMs =
     (config.timeouts?.providerStreamTimeoutSec ?? 300) * 1000;
@@ -293,15 +155,13 @@ export async function initializeProviders(
     registerProvider(
       "anthropic",
       new RetryProvider(
-        wrapWithLogfire(
-          new AnthropicProvider(anthropicCreds.apiKey, model, {
-            useNativeWebSearch,
-            streamTimeoutMs,
-            ...(anthropicCreds.baseURL
-              ? { baseURL: anthropicCreds.baseURL }
-              : {}),
-          }),
-        ),
+        new AnthropicProvider(anthropicCreds.apiKey, model, {
+          useNativeWebSearch,
+          streamTimeoutMs,
+          ...(anthropicCreds.baseURL
+            ? { baseURL: anthropicCreds.baseURL }
+            : {}),
+        }),
       ),
     );
     routingSources.set("anthropic", anthropicCreds.source);
@@ -314,12 +174,10 @@ export async function initializeProviders(
     registerProvider(
       "openai",
       new RetryProvider(
-        wrapWithLogfire(
-          new OpenAIProvider(openaiCreds.apiKey, model, {
-            streamTimeoutMs,
-            ...(openaiCreds.baseURL ? { baseURL: openaiCreds.baseURL } : {}),
-          }),
-        ),
+        new OpenAIProvider(openaiCreds.apiKey, model, {
+          streamTimeoutMs,
+          ...(openaiCreds.baseURL ? { baseURL: openaiCreds.baseURL } : {}),
+        }),
       ),
     );
     routingSources.set("openai", openaiCreds.source);
@@ -332,14 +190,12 @@ export async function initializeProviders(
     registerProvider(
       "gemini",
       new RetryProvider(
-        wrapWithLogfire(
-          new GeminiProvider(geminiCreds.apiKey, model, {
-            streamTimeoutMs,
-            ...(geminiCreds.baseURL
-              ? { managedBaseUrl: geminiCreds.baseURL }
-              : {}),
-          }),
-        ),
+        new GeminiProvider(geminiCreds.apiKey, model, {
+          streamTimeoutMs,
+          ...(geminiCreds.baseURL
+            ? { managedBaseUrl: geminiCreds.baseURL }
+            : {}),
+        }),
       ),
     );
     routingSources.set("gemini", geminiCreds.source);
@@ -352,12 +208,10 @@ export async function initializeProviders(
     registerProvider(
       "ollama",
       new RetryProvider(
-        wrapWithLogfire(
-          new OllamaProvider(model, {
-            apiKey: ollamaKey ?? undefined,
-            streamTimeoutMs,
-          }),
-        ),
+        new OllamaProvider(model, {
+          apiKey: ollamaKey ?? undefined,
+          streamTimeoutMs,
+        }),
       ),
     );
     routingSources.set("ollama", "user-key");
@@ -370,11 +224,9 @@ export async function initializeProviders(
     registerProvider(
       "fireworks",
       new RetryProvider(
-        wrapWithLogfire(
-          new FireworksProvider(fireworksKey, model, {
-            streamTimeoutMs,
-          }),
-        ),
+        new FireworksProvider(fireworksKey, model, {
+          streamTimeoutMs,
+        }),
       ),
     );
     routingSources.set("fireworks", "user-key");
@@ -387,11 +239,9 @@ export async function initializeProviders(
     registerProvider(
       "openrouter",
       new RetryProvider(
-        wrapWithLogfire(
-          new OpenRouterProvider(openrouterKey, model, {
-            streamTimeoutMs,
-          }),
-        ),
+        new OpenRouterProvider(openrouterKey, model, {
+          streamTimeoutMs,
+        }),
       ),
     );
     routingSources.set("openrouter", "user-key");

package/src/providers/types.ts

@@ -130,7 +130,7 @@ export type ProviderEvent =
 export interface SendMessageConfig {
   model?: string;
   modelIntent?: ModelIntent;
-  effort?: "low" | "medium" | "high";
+  effort?: "low" | "medium" | "high" | "max";
   [key: string]: unknown;
 }
 

package/src/runtime/access-request-helper.ts

@@ -55,6 +55,8 @@ export interface AccessRequestParams {
   actorDisplayName?: string;
   actorUsername?: string;
   previousMemberStatus?: Exclude<ChannelStatus, "unverified">;
+  /** Preview of the requester's original message, shown to the guardian. */
+  messagePreview?: string;
 }
 
 export type AccessRequestResult =
@@ -90,6 +92,7 @@ export function notifyGuardianOfAccessRequest(
     actorDisplayName,
     actorUsername,
     previousMemberStatus,
+    messagePreview,
   } = params;
 
   if (!actorExternalId) {
@@ -244,6 +247,7 @@ export function notifyGuardianOfAccessRequest(
       guardianBindingChannel,
       guardianResolutionSource,
       previousMemberStatus: previousMemberStatus ?? null,
+      messagePreview: messagePreview ?? null,
     },
     dedupeKey: `access-request:${canonicalRequest.id}`,
     onConversationCreated: (info) => {

package/src/runtime/auth/__tests__/credential-service.test.ts

@@ -17,7 +17,6 @@ mock.module("../../../util/platform.js", () => ({
   getDataDir: () => testDir,
   getDbPath: () => join(testDir, "test.db"),
   normalizeAssistantId: (id: string) => (id === "self" ? "self" : id),
-  readLockfile: () => ({ assistants: [{ assistantId: "vellum-test-eel" }] }),
   isMacOS: () => process.platform === "darwin",
   isLinux: () => process.platform === "linux",
   isWindows: () => process.platform === "win32",

package/src/runtime/auth/__tests__/external-assistant-id.test.ts

@@ -1,21 +1,7 @@
 /**
- * Tests for getExternalAssistantId resolution order.
+ * Tests for getExternalAssistantId.
  */
-import { afterEach, describe, expect, mock, test } from "bun:test";
-
-mock.module("../../../util/logger.js", () => ({
-  getLogger: () =>
-    new Proxy({} as Record<string, unknown>, {
-      get: () => () => {},
-    }),
-}));
-
-// Controllable mock for readLockfile — defaults to null (no lockfile data)
-const mockReadLockfile = mock(() => null as Record<string, unknown> | null);
-
-mock.module("../../../util/platform.js", () => ({
-  readLockfile: mockReadLockfile,
-}));
+import { afterEach, describe, expect, test } from "bun:test";
 
 import {
   getExternalAssistantId,
@@ -24,65 +10,24 @@ import {
 
 afterEach(() => {
   resetExternalAssistantIdCache();
-  mockReadLockfile.mockReset();
-  mockReadLockfile.mockImplementation(() => null);
-  delete process.env.BASE_DATA_DIR;
+  delete process.env.VELLUM_ASSISTANT_NAME;
 });
 
 describe("getExternalAssistantId", () => {
-  test("resolves from lockfile assistants array (most recently hatched)", () => {
-    mockReadLockfile.mockImplementation(() => ({
-      assistants: [
-        { assistantId: "vellum-old-fox", hatchedAt: "2025-01-01T00:00:00Z" },
-        { assistantId: "vellum-new-eel", hatchedAt: "2025-06-15T12:00:00Z" },
-      ],
-    }));
-    expect(getExternalAssistantId()).toBe("vellum-new-eel");
-  });
-
-  test("resolves from lockfile with single assistant entry", () => {
-    mockReadLockfile.mockImplementation(() => ({
-      assistants: [
-        { assistantId: "vellum-solo-cat", hatchedAt: "2025-03-01T00:00:00Z" },
-      ],
-    }));
-    expect(getExternalAssistantId()).toBe("vellum-solo-cat");
-  });
-
-  test("resolves from BASE_DATA_DIR when lockfile has no data", () => {
-    process.env.BASE_DATA_DIR = "/tmp/vellum/assistants/vellum-true-eel";
-    expect(getExternalAssistantId()).toBe("vellum-true-eel");
-  });
-
-  test("resolves from BASE_DATA_DIR with trailing slash", () => {
-    process.env.BASE_DATA_DIR = "/tmp/vellum/assistants/vellum-cool-heron/";
-    expect(getExternalAssistantId()).toBe("vellum-cool-heron");
-  });
-
-  test("resolves from BASE_DATA_DIR with Windows-style backslashes", () => {
-    process.env.BASE_DATA_DIR =
-      "C:\\Users\\user\\.local\\share\\vellum\\assistants\\vellum-nice-fox";
-    expect(getExternalAssistantId()).toBe("vellum-nice-fox");
-  });
-
-  test("resolves from BASE_DATA_DIR with /instances/<name> path", () => {
-    process.env.BASE_DATA_DIR = "/home/user/.vellum/instances/vellum-swift-owl";
-    expect(getExternalAssistantId()).toBe("vellum-swift-owl");
-  });
-
-  test("resolves from BASE_DATA_DIR with /instances/<name> trailing slash", () => {
-    process.env.BASE_DATA_DIR =
-      "/home/user/.vellum/instances/vellum-swift-owl/";
-    expect(getExternalAssistantId()).toBe("vellum-swift-owl");
+  test("resolves from VELLUM_ASSISTANT_NAME env var", () => {
+    process.env.VELLUM_ASSISTANT_NAME = "vellum-cool-eel";
+    expect(getExternalAssistantId()).toBe("vellum-cool-eel");
   });
 
-  test("falls back to undefined when BASE_DATA_DIR does not match known patterns", () => {
-    process.env.BASE_DATA_DIR = "/tmp/some-other-path";
-    expect(getExternalAssistantId()).toBe(undefined);
+  test("caches the resolved value", () => {
+    process.env.VELLUM_ASSISTANT_NAME = "vellum-cool-eel";
+    expect(getExternalAssistantId()).toBe("vellum-cool-eel");
+    // Change env var — cached value should still be returned
+    process.env.VELLUM_ASSISTANT_NAME = "vellum-other-fox";
+    expect(getExternalAssistantId()).toBe("vellum-cool-eel");
   });
 
-  test("falls back to undefined when BASE_DATA_DIR is not set", () => {
-    delete process.env.BASE_DATA_DIR;
+  test("returns undefined when env var is not set", () => {
     expect(getExternalAssistantId()).toBe(undefined);
   });
 });

package/src/runtime/auth/__tests__/guard-tests.test.ts

@@ -16,6 +16,10 @@ import { readFileSync } from "node:fs";
 import { basename, resolve } from "node:path";
 import { describe, expect, test } from "bun:test";
 
+// Cross-package import: gateway duplicates the epoch constant and both must
+// stay in sync. Importing directly is more reliable than regex-extracting.
+import { CURRENT_POLICY_EPOCH as GATEWAY_POLICY_EPOCH } from "../../../../../gateway/src/auth/policy.js";
+import { CURRENT_POLICY_EPOCH } from "../policy.js";
 import { resolveScopeProfile } from "../scopes.js";
 import type { Scope, ScopeProfile } from "../types.js";
 
@@ -337,56 +341,11 @@ describe("scope profile contract", () => {
 // ---------------------------------------------------------------------------
 
 describe("CURRENT_POLICY_EPOCH sync", () => {
-  /**
-   * The policy epoch constant is duplicated in assistant, gateway, and cli
-   * packages. This test reads the exported value from each source file and
-   * asserts they are all equal.
-   */
-
-  const EPOCH_FILES = [
-    {
-      label: "assistant",
-      path: resolve(PROJECT_ROOT, "assistant/src/runtime/auth/policy.ts"),
-    },
-    {
-      label: "gateway",
-      path: resolve(PROJECT_ROOT, "gateway/src/auth/policy.ts"),
-    },
-  ];
-
-  function extractEpoch(filePath: string): number {
-    const src = readFileSync(filePath, "utf-8");
-    const match = src.match(
-      /export\s+const\s+CURRENT_POLICY_EPOCH\s*=\s*(\d+)/,
-    );
-    if (!match) {
-      throw new Error(`Could not find CURRENT_POLICY_EPOCH in ${filePath}`);
-    }
-    return parseInt(match[1], 10);
-  }
-
-  test("all non-skill packages export the same CURRENT_POLICY_EPOCH value", () => {
-    const values = EPOCH_FILES.map((f) => ({
-      label: f.label,
-      epoch: extractEpoch(f.path),
-    }));
-
-    const canonical = values[0];
-    const mismatches = values.filter((v) => v.epoch !== canonical.epoch);
-
-    if (mismatches.length > 0) {
-      const summary = values
-        .map((v) => `  - ${v.label}: ${v.epoch}`)
-        .join("\n");
-      const message = [
-        "CURRENT_POLICY_EPOCH is out of sync across packages:",
-        "",
-        summary,
-        "",
-        "All locations must have the same value.",
+  test("assistant and gateway export the same CURRENT_POLICY_EPOCH value", () => {
+    expect(
+      CURRENT_POLICY_EPOCH,
+      `CURRENT_POLICY_EPOCH mismatch: assistant=${CURRENT_POLICY_EPOCH}, gateway=${GATEWAY_POLICY_EPOCH}. ` +
         "The canonical source is assistant/src/runtime/auth/policy.ts.",
-      ].join("\n");
-      expect(mismatches, message).toEqual([]);
-    }
+    ).toBe(GATEWAY_POLICY_EPOCH);
   });
 });

package/src/runtime/auth/external-assistant-id.ts

@@ -6,81 +6,35 @@
  * must identify which assistant the token belongs to, while the daemon
  * internally uses 'self'.
  *
- * Resolution order:
- *   1. Cached in-memory value (populated on first call)
- *   2. Most recently hatched entry in lockfile assistants array
- *      (sorted by `hatchedAt` descending) → assistantId
- *   3. BASE_DATA_DIR path matching `/assistants/<name>` or `/instances/<name>` suffix
- *   4. `undefined` — callers must handle the missing value
+ * Reads from the VELLUM_ASSISTANT_NAME env var, which is set by CLI
+ * hatch and Docker setup. Returns `undefined` if the env var is not set.
  *
- * The value is cached in memory after the first successful read.
+ * The value is cached in memory after the first read.
  */
 
-import { getBaseDataDir } from "../../config/env-registry.js";
 import { getLogger } from "../../util/logger.js";
-import { readLockfile } from "../../util/platform.js";
 
 const log = getLogger("external-assistant-id");
 
 let cached: string | null | undefined;
 
 /**
- * Get the external assistant ID.
- *
- * Resolution order:
- *   1. Cached in-memory value (populated on first call)
- *   2. Most recently hatched entry in lockfile assistants array
- *      (sorted by `hatchedAt` descending) → assistantId
- *   3. BASE_DATA_DIR path matching `/assistants/<name>` or `/instances/<name>` suffix
- *   4. `undefined` when resolution fails entirely
+ * Get the external assistant ID from the VELLUM_ASSISTANT_NAME env var.
+ * Returns `undefined` when the env var is not set.
  */
 export function getExternalAssistantId(): string | undefined {
   if (cached !== undefined) {
     return cached ?? undefined;
   }
 
-  try {
-    const lockData = readLockfile();
-    if (lockData) {
-      const assistants = lockData.assistants as
-        | Array<Record<string, unknown>>
-        | undefined;
-      if (assistants && assistants.length > 0) {
-        // Sort by hatchedAt descending to use the most recent entry,
-        // matching the pattern used elsewhere in the codebase.
-        const sorted = [...assistants].sort((a, b) => {
-          const dateA = new Date((a.hatchedAt as string) || 0).getTime();
-          const dateB = new Date((b.hatchedAt as string) || 0).getTime();
-          return dateB - dateA;
-        });
-        const latest = sorted[0];
-        if (typeof latest.assistantId === "string") {
-          cached = latest.assistantId;
-          log.info(
-            { externalAssistantId: cached },
-            "Resolved external assistant ID from lockfile",
-          );
-          return cached;
-        }
-      }
-    }
-  } catch (err) {
-    log.warn({ err }, "Failed to read lockfile for external assistant ID");
-  }
-
-  // Fallback: derive from BASE_DATA_DIR path
-  const base = getBaseDataDir();
-  if (base && typeof base === "string") {
-    const normalized = base.replace(/\\/g, "/").replace(/\/+$/, "");
-    const match = normalized.match(/\/(?:assistants|instances)\/([^/]+)$/);
-    if (match) {
-      cached = match[1];
-      log.info(
-        { externalAssistantId: cached },
-        "Resolved external assistant ID from BASE_DATA_DIR",
-      );
-      return cached;
-    }
+  const envName = process.env.VELLUM_ASSISTANT_NAME;
+  if (envName) {
+    cached = envName;
+    log.info(
+      { externalAssistantId: cached },
+      "Resolved external assistant ID from VELLUM_ASSISTANT_NAME",
+    );
+    return cached;
   }
 
   cached = null;

package/src/runtime/auth/route-policy.ts

@@ -259,6 +259,8 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
 
   // Secrets
   { endpoint: "secrets", scopes: ["settings.write"] },
+  { endpoint: "secrets:GET", scopes: ["settings.read"] },
+  { endpoint: "secrets/read", scopes: ["settings.write"] },
 
   // Pairing (authenticated)
   { endpoint: "pairing/register", scopes: ["settings.write"] },
@@ -352,6 +354,10 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   { endpoint: "config/permissions/skip:GET", scopes: ["settings.read"] },
   { endpoint: "config/permissions/skip:PUT", scopes: ["settings.write"] },
 
+  // Generic config read/patch
+  { endpoint: "config:GET", scopes: ["settings.read"] },
+  { endpoint: "config:PATCH", scopes: ["settings.write"] },
+
   // Conversation management
   { endpoint: "conversations:DELETE", scopes: ["chat.write"] },
   { endpoint: "conversations/wipe", scopes: ["chat.write"] },
@@ -366,6 +372,7 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   // Message content
   { endpoint: "messages/content", scopes: ["chat.read"] },
   { endpoint: "messages/llm-context", scopes: ["chat.read"] },
+  { endpoint: "messages/tts", scopes: ["chat.read"] },
 
   // Queued message deletion
   { endpoint: "messages/queued", scopes: ["chat.write"] },
@@ -443,7 +450,6 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
 
   // Diagnostics
   { endpoint: "export", scopes: ["settings.read"] },
-  { endpoint: "diagnostics/export", scopes: ["settings.read"] },
   { endpoint: "diagnostics/env-vars", scopes: ["settings.read"] },
 
   // Dictation
@@ -512,3 +518,13 @@ registerPolicy("admin/upgrade-broadcast", {
   requiredScopes: ["internal.write"],
   allowedPrincipalTypes: ["svc_gateway"],
 });
+
+registerPolicy("admin/workspace-commit", {
+  requiredScopes: ["internal.write"],
+  allowedPrincipalTypes: ["svc_gateway"],
+});
+
+registerPolicy("admin/rollback-migrations", {
+  requiredScopes: ["internal.write"],
+  allowedPrincipalTypes: ["svc_gateway"],
+});