@vellumai/assistant 0.5.6 → 0.5.8

package/src/runtime/routes/secret-routes.ts

@@ -20,7 +20,10 @@ import { initializeProviders } from "../../providers/registry.js";
 import { credentialKey } from "../../security/credential-key.js";
 import {
   deleteSecureKeyAsync,
+  getActiveBackendName,
   getSecureKeyAsync,
+  getSecureKeyResultAsync,
+  listSecureKeysAsync,
   setSecureKeyAsync,
 } from "../../security/secure-keys.js";
 import {
@@ -103,11 +106,16 @@ export async function handleAddSecret(
   req: Request,
   getCesClient?: () => CesClient | undefined,
 ): Promise<Response> {
-  const body = (await req.json()) as {
-    type?: string;
-    name?: string;
-    value?: string;
-  };
+  let body: { type?: string; name?: string; value?: string };
+  try {
+    body = (await req.json()) as {
+      type?: string;
+      name?: string;
+      value?: string;
+    };
+  } catch {
+    return httpError("BAD_REQUEST", "Request body must be valid JSON", 400);
+  }
 
   const { type, name, value } = body;
 
@@ -178,7 +186,7 @@ export async function handleAddSecret(
       if (!stored) {
         return httpError(
           "INTERNAL_ERROR",
-          "Failed to store API key in secure storage",
+          `Failed to store API key in secure storage (backend: ${getActiveBackendName()})`,
           500,
         );
       }
@@ -190,7 +198,7 @@ export async function handleAddSecret(
     }
 
     if (type === "credential") {
-      const colonIdx = name.indexOf(":");
+      const colonIdx = name.lastIndexOf(":");
       if (colonIdx < 1 || colonIdx === name.length - 1) {
         return httpError(
           "BAD_REQUEST",
@@ -243,7 +251,7 @@ export async function handleAddSecret(
         if (!stored) {
           return httpError(
             "INTERNAL_ERROR",
-            "Failed to store credential in secure storage",
+            `Failed to store credential in secure storage (backend: ${getActiveBackendName()})`,
             500,
           );
         }
@@ -308,12 +316,90 @@ export async function handleAddSecret(
   }
 }
 
-export async function handleDeleteSecret(req: Request): Promise<Response> {
+export async function handleReadSecret(req: Request): Promise<Response> {
   const body = (await req.json()) as {
     type?: string;
     name?: string;
+    reveal?: boolean;
   };
 
+  const { type, name, reveal } = body;
+
+  if (!type || typeof type !== "string") {
+    return httpError("BAD_REQUEST", "type is required", 400);
+  }
+  if (!name || typeof name !== "string") {
+    return httpError("BAD_REQUEST", "name is required", 400);
+  }
+
+  try {
+    let accountKey: string;
+
+    if (type === "api_key") {
+      if (
+        !API_KEY_PROVIDERS.includes(name as (typeof API_KEY_PROVIDERS)[number])
+      ) {
+        return httpError(
+          "BAD_REQUEST",
+          `Unknown API key provider: ${name}. Valid providers: ${API_KEY_PROVIDERS.join(
+            ", ",
+          )}`,
+          400,
+        );
+      }
+      accountKey = name;
+    } else if (type === "credential") {
+      const colonIdx = name.lastIndexOf(":");
+      if (colonIdx < 1 || colonIdx === name.length - 1) {
+        return httpError(
+          "BAD_REQUEST",
+          'For credential type, name must be in "service:field" format (e.g. "github:api_token")',
+          400,
+        );
+      }
+      const service = name.slice(0, colonIdx);
+      const field = name.slice(colonIdx + 1);
+      accountKey = credentialKey(service, field);
+    } else {
+      return httpError(
+        "BAD_REQUEST",
+        `Unknown secret type: ${type}. Valid types: api_key, credential`,
+        400,
+      );
+    }
+
+    const { value, unreachable } = await getSecureKeyResultAsync(accountKey);
+    if (value === undefined) {
+      return Response.json({ found: false, unreachable });
+    }
+
+    if (reveal) {
+      return Response.json({ found: true, value, unreachable: false });
+    }
+
+    // Mask the value: show first 10 chars and last 4, hiding at least 3
+    const minHidden = 3;
+    const maxVisible = Math.max(1, value.length - minHidden);
+    const prefixLen = Math.min(10, maxVisible);
+    const suffixLen = Math.min(4, Math.max(0, maxVisible - prefixLen));
+    const masked = `${value.slice(0, prefixLen)}...${suffixLen > 0 ? value.slice(-suffixLen) : ""}`;
+
+    return Response.json({ found: true, masked, unreachable: false });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.error({ err, type, name }, "Failed to read secret via HTTP");
+    return httpError("INTERNAL_ERROR", message, 500);
+  }
+}
+
+export async function handleDeleteSecret(req: Request): Promise<Response> {
+  let body: { type?: string; name?: string };
+  try {
+    body = (await req.json()) as { type?: string; name?: string };
+  } catch {
+    return httpError("BAD_REQUEST", "Request body must be valid JSON", 400);
+  }
+
   const { type, name } = body;
 
   if (!type || typeof type !== "string") {
@@ -358,7 +444,7 @@ export async function handleDeleteSecret(req: Request): Promise<Response> {
     }
 
     if (type === "credential") {
-      const colonIdx = name.indexOf(":");
+      const colonIdx = name.lastIndexOf(":");
       if (colonIdx < 1 || colonIdx === name.length - 1) {
         return httpError(
           "BAD_REQUEST",
@@ -418,6 +504,41 @@ export async function handleDeleteSecret(req: Request): Promise<Response> {
   }
 }
 
+const CREDENTIAL_KEY_PREFIX = "credential/";
+
+export async function handleListSecrets(): Promise<Response> {
+  try {
+    const { accounts, unreachable } = await listSecureKeysAsync();
+    if (unreachable) {
+      return Response.json(
+        { error: "Credential store is unreachable" },
+        { status: 503 },
+      );
+    }
+
+    const secrets = accounts.map((account) => {
+      if (account.startsWith(CREDENTIAL_KEY_PREFIX)) {
+        // credential/{service}/{field} → service:field
+        const rest = account.slice(CREDENTIAL_KEY_PREFIX.length);
+        const slashIdx = rest.indexOf("/");
+        if (slashIdx > 0 && slashIdx < rest.length - 1) {
+          return {
+            type: "credential" as const,
+            name: `${rest.slice(0, slashIdx)}:${rest.slice(slashIdx + 1)}`,
+          };
+        }
+      }
+      // API key providers are stored with their raw provider name
+      return { type: "api_key" as const, name: account };
+    });
+
+    return Response.json({ secrets });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return httpError("INTERNAL_ERROR", message, 500);
+  }
+}
+
 // ---------------------------------------------------------------------------
 // Route definitions
 // ---------------------------------------------------------------------------
@@ -441,5 +562,15 @@ export function secretRouteDefinitions(
       method: "DELETE",
       handler: async ({ req }) => handleDeleteSecret(req),
     },
+    {
+      endpoint: "secrets",
+      method: "GET",
+      handler: async () => handleListSecrets(),
+    },
+    {
+      endpoint: "secrets/read",
+      method: "POST",
+      handler: async ({ req }) => handleReadSecret(req),
+    },
   ];
 }

package/src/runtime/routes/settings-routes.ts

@@ -10,7 +10,10 @@
 import { readFileSync } from "node:fs";
 import { join } from "node:path";
 
-import { setIngressPublicBaseUrl } from "../../config/env.js";
+import {
+  getPlatformBaseUrl,
+  setIngressPublicBaseUrl,
+} from "../../config/env.js";
 import { loadRawConfig, saveRawConfig } from "../../config/loader.js";
 import { loadSkillCatalog } from "../../config/skills.js";
 import {
@@ -728,6 +731,43 @@ export function settingsRouteDefinitions(): RouteDefinition[] {
       handler: () => handleEnvVars(),
     },
 
+    // Platform config (GET / PUT)
+    {
+      endpoint: "config/platform",
+      method: "GET",
+      policyKey: "config/platform:GET",
+      handler: () => {
+        const raw = loadRawConfig();
+        const platform = (raw?.platform ?? {}) as Record<string, unknown>;
+        const baseUrl =
+          (platform.baseUrl as string | undefined) || getPlatformBaseUrl();
+        return Response.json({ baseUrl, success: true });
+      },
+    },
+    {
+      endpoint: "config/platform",
+      method: "PUT",
+      policyKey: "config/platform",
+      handler: async ({ req }) => {
+        try {
+          const body = (await req.json()) as { baseUrl?: string };
+          const value = (body.baseUrl ?? "").trim().replace(/\/+$/, "");
+          const raw = loadRawConfig();
+          const platform = (raw?.platform ?? {}) as Record<string, unknown>;
+          platform.baseUrl = value || undefined;
+          saveRawConfig({ ...raw, platform });
+          return Response.json({ baseUrl: value, success: true });
+        } catch (err) {
+          const message = err instanceof Error ? err.message : String(err);
+          log.error({ err }, "Failed to update platform config via HTTP");
+          return Response.json(
+            { baseUrl: "", success: false, error: message },
+            { status: 500 },
+          );
+        }
+      },
+    },
+
     // Ingress config (GET / PUT)
     {
       endpoint: "integrations/ingress/config",

package/src/runtime/routes/tts-routes.ts

@@ -0,0 +1,96 @@
+/**
+ * HTTP route definitions for message text-to-speech synthesis.
+ *
+ * POST /v1/messages/:id/tts?conversationId=... — synthesize message text to audio
+ *
+ * Gated behind the `feature_flags.message-tts.enabled` assistant feature flag.
+ * Uses Fish Audio for synthesis when configured.
+ */
+
+import { synthesizeWithFishAudio } from "../../calls/fish-audio-client.js";
+import { sanitizeForTts } from "../../calls/tts-text-sanitizer.js";
+import { isAssistantFeatureFlagEnabled } from "../../config/assistant-feature-flags.js";
+import { getConfig } from "../../config/loader.js";
+import { getMessageContent } from "../../daemon/handlers/conversation-history.js";
+import { getLogger } from "../../util/logger.js";
+import { httpError } from "../http-errors.js";
+import type { RouteDefinition } from "../http-router.js";
+
+const log = getLogger("tts-routes");
+
+const MESSAGE_TTS_FLAG = "feature_flags.message-tts.enabled" as const;
+
+// ---------------------------------------------------------------------------
+// Route definitions
+// ---------------------------------------------------------------------------
+
+export function ttsRouteDefinitions(): RouteDefinition[] {
+  return [
+    {
+      endpoint: "messages/:id/tts",
+      method: "POST",
+      policyKey: "messages/tts",
+      handler: async ({ url, params }) => {
+        const config = getConfig();
+
+        if (!isAssistantFeatureFlagEnabled(MESSAGE_TTS_FLAG, config)) {
+          return httpError("FORBIDDEN", "Message TTS is not enabled", 403);
+        }
+
+        const messageId = params.id;
+        const conversationId =
+          url.searchParams.get("conversationId") ?? undefined;
+
+        const result = getMessageContent(messageId, conversationId);
+        if (!result) {
+          return httpError("NOT_FOUND", `Message ${messageId} not found`, 404);
+        }
+
+        if (!result.text) {
+          return httpError("BAD_REQUEST", "Message has no text content", 400);
+        }
+
+        const sanitizedText = sanitizeForTts(result.text);
+        if (!sanitizedText.trim()) {
+          return httpError(
+            "BAD_REQUEST",
+            "Message has no speakable text content",
+            400,
+          );
+        }
+
+        const { fishAudio } = config;
+        if (!fishAudio?.referenceId) {
+          return httpError(
+            "SERVICE_UNAVAILABLE",
+            "Fish Audio TTS is not configured",
+            503,
+          );
+        }
+
+        try {
+          const audioBuffer = await synthesizeWithFishAudio(
+            sanitizedText,
+            fishAudio,
+          );
+
+          const format = fishAudio.format ?? "mp3";
+          const contentType =
+            format === "wav"
+              ? "audio/wav"
+              : format === "opus"
+                ? "audio/opus"
+                : "audio/mpeg";
+
+          return new Response(new Uint8Array(audioBuffer), {
+            status: 200,
+            headers: { "Content-Type": contentType },
+          });
+        } catch (err) {
+          log.error({ err, messageId }, "TTS synthesis failed");
+          return httpError("INTERNAL_ERROR", "TTS synthesis failed", 502);
+        }
+      },
+    },
+  ];
+}

package/src/runtime/routes/upgrade-broadcast-routes.ts

@@ -1,6 +1,6 @@
 /**
  * Upgrade broadcast endpoint — publishes service group update lifecycle
- * events (starting / complete) to all connected SSE clients.
+ * events (starting / progress / complete) to all connected SSE clients.
  *
  * Protected by a route policy restricting access to gateway service
  * principals only (`svc_gateway` with `internal.write` scope), following
@@ -11,6 +11,7 @@
 
 import type {
   ServiceGroupUpdateComplete,
+  ServiceGroupUpdateProgress,
   ServiceGroupUpdateStarting,
 } from "../../daemon/message-types/upgrades.js";
 import { buildAssistantEvent } from "../assistant-event.js";
@@ -86,6 +87,29 @@ export function upgradeBroadcastRouteDefinitions(): RouteDefinition[] {
           return Response.json({ ok: true });
         }
 
+        if (type === "progress") {
+          const { statusMessage } = body as { statusMessage?: unknown };
+
+          if (typeof statusMessage !== "string" || statusMessage.length === 0) {
+            return httpError(
+              "BAD_REQUEST",
+              "statusMessage is required and must be a non-empty string",
+              400,
+            );
+          }
+
+          const message: ServiceGroupUpdateProgress = {
+            type: "service_group_update_progress",
+            statusMessage,
+          };
+
+          await assistantEventHub.publish(
+            buildAssistantEvent(DAEMON_INTERNAL_ASSISTANT_ID, message),
+          );
+
+          return Response.json({ ok: true });
+        }
+
         if (type === "complete") {
           const { installedVersion, success, rolledBackToVersion } = body as {
             installedVersion?: unknown;
@@ -142,7 +166,7 @@ export function upgradeBroadcastRouteDefinitions(): RouteDefinition[] {
 
         return httpError(
           "BAD_REQUEST",
-          'type must be "starting" or "complete"',
+          'type must be "starting", "progress", or "complete"',
           400,
         );
       },

package/src/runtime/routes/workspace-commit-routes.ts

@@ -0,0 +1,62 @@
+/**
+ * Workspace commit endpoint — creates a git commit in the workspace
+ * directory with all pending changes.
+ *
+ * Protected by a route policy restricting access to gateway service
+ * principals only (`svc_gateway` with `internal.write` scope), following
+ * the same pattern as other gateway-forwarded control-plane endpoints.
+ */
+
+import { getWorkspaceDir } from "../../util/platform.js";
+import { getWorkspaceGitService } from "../../workspace/git-service.js";
+import { httpError } from "../http-errors.js";
+import type { RouteDefinition } from "../http-router.js";
+
+export function workspaceCommitRouteDefinitions(): RouteDefinition[] {
+  return [
+    {
+      endpoint: "admin/workspace-commit",
+      method: "POST",
+      handler: async ({ req }) => {
+        let body: unknown;
+        try {
+          body = await req.json();
+        } catch {
+          return httpError("BAD_REQUEST", "Invalid JSON body", 400);
+        }
+
+        if (!body || typeof body !== "object") {
+          return httpError(
+            "BAD_REQUEST",
+            "Request body must be a JSON object",
+            400,
+          );
+        }
+
+        const { message } = body as { message?: unknown };
+
+        if (typeof message !== "string" || message.length === 0) {
+          return httpError(
+            "BAD_REQUEST",
+            "message is required and must be a non-empty string",
+            400,
+          );
+        }
+
+        try {
+          await getWorkspaceGitService(getWorkspaceDir()).commitChanges(
+            message,
+          );
+          return Response.json({ ok: true });
+        } catch (err) {
+          const detail = err instanceof Error ? err.message : "Unknown error";
+          return httpError(
+            "INTERNAL_ERROR",
+            `Workspace commit failed: ${detail}`,
+            500,
+          );
+        }
+      },
+    },
+  ];
+}

package/src/runtime/routes/workspace-routes.test.ts

@@ -190,9 +190,30 @@ describe("isTextMimeType", () => {
     expect(isTextMimeType("video/mp4")).toBe(false);
   });
 
-  test("application/octet-stream is not text", () => {
+  test("application/octet-stream is not text without filename", () => {
     expect(isTextMimeType("application/octet-stream")).toBe(false);
   });
+
+  test("application/octet-stream with .py filename is text", () => {
+    expect(isTextMimeType("application/octet-stream", "script.py")).toBe(true);
+  });
+
+  test("application/octet-stream with .go filename is text", () => {
+    expect(isTextMimeType("application/octet-stream", "main.go")).toBe(true);
+  });
+
+  test("application/octet-stream with .rs filename is text", () => {
+    expect(isTextMimeType("application/octet-stream", "lib.rs")).toBe(true);
+  });
+
+  test("application/octet-stream with unknown extension is not text", () => {
+    expect(isTextMimeType("application/octet-stream", "data.bin")).toBe(false);
+  });
+
+  test("extension fallback only applies to application/octet-stream", () => {
+    // A binary plist has a specific MIME type — extension should not override it
+    expect(isTextMimeType("application/x-plist", "Info.plist")).toBe(false);
+  });
 });
 
 // ===========================================================================

package/src/runtime/routes/workspace-routes.ts

@@ -119,7 +119,7 @@ function handleWorkspaceFile(ctx: RouteContext): Response {
   }
 
   const mimeType = Bun.file(resolved).type;
-  const isText = isTextMimeType(mimeType);
+  const isText = isTextMimeType(mimeType, basename(resolved));
   const isBinary = !isText;
 
   let content: string | undefined = undefined;

package/src/runtime/routes/workspace-utils.ts

@@ -85,10 +85,94 @@ const TEXT_MIME_PREFIXES = [
   "application/x-yaml",
   "application/toml",
   "application/x-sh",
+  "application/x-httpd-php",
+  "application/x-perl",
+  "application/x-sql",
+  "application/x-tex",
+  "application/vnd.dart",
 ];
 
-export function isTextMimeType(mimeType: string): boolean {
-  return TEXT_MIME_PREFIXES.some((prefix) => mimeType.startsWith(prefix));
+/**
+ * File extensions that are known text/code files but that Bun's MIME
+ * detection reports as `application/octet-stream`.
+ */
+const TEXT_FILE_EXTENSIONS = new Set([
+  // Programming languages
+  "py",
+  "rb",
+  "go",
+  "rs",
+  "swift",
+  "kt",
+  "kts",
+  "cs",
+  "scala",
+  "ex",
+  "exs",
+  "erl",
+  "hs",
+  "clj",
+  "cljs",
+  "jl",
+  "zig",
+  "nim",
+  "v",
+  "sol",
+  "r",
+  "java",
+  "lua",
+  // Shell / scripting
+  "bash",
+  "zsh",
+  "fish",
+  "ps1",
+  "bat",
+  "cmd",
+  "awk",
+  // Web frameworks
+  "vue",
+  "svelte",
+  "scss",
+  "sass",
+  "less",
+  // Config / data
+  "cfg",
+  "conf",
+  "ini",
+  "properties",
+  "env",
+  "gradle",
+  "cmake",
+  // Markup / docs
+  "rst",
+  "adoc",
+  "org",
+  "tex",
+  "latex",
+  // Other text formats
+  "graphql",
+  "gql",
+  "proto",
+  "tf",
+  "hcl",
+  "diff",
+  "patch",
+  "log",
+  "lock",
+]);
+
+export function isTextMimeType(mimeType: string, fileName?: string): boolean {
+  if (TEXT_MIME_PREFIXES.some((prefix) => mimeType.startsWith(prefix))) {
+    return true;
+  }
+  // Only fall back to extension check when the MIME type is genuinely unknown.
+  // Specific MIME types (e.g. application/x-plist for binary plists) should be
+  // trusted over the extension — overriding them risks corrupting binary files.
+  if (fileName && mimeType === "application/octet-stream") {
+    const ext = fileName.split(".").pop()?.toLowerCase();
+    if (ext && TEXT_FILE_EXTENSIONS.has(ext)) return true;
+  }
+  return false;
 }
 
 export const MAX_INLINE_TEXT_SIZE = 2 * 1024 * 1024; // 2 MB